TUCoPS :: Web :: General :: sb5924.htm

Business Objects WebIntelligence client session cookie hijacking
10th Jan 2003 [SBWID-5924]
COMMAND

	Business Objects WebIntelligence client session cookie hijacking

SYSTEMS AFFECTED

	WebIntelligence 2.x products

PROBLEM

	Stijn Durant of Ubizen [http://www.ubizen.com] discovered :
	
	
	1) Brief description
	
	The WebIntelligence application is a web interface towards the  Business
	Objects application server. It uses HTTPS and cookies to keep  track  of
	user sessions. These session cookies are  vulnerable.  An  attacker  can
	guess session cookies and use this information  to  hijack  sessions  of
	other users, thereby gaining unauthorized access to the  WebIntelligence
	tool. Next, the attacker can take any action the original user  is  able
	to take, except changing the account password.
	
	There also  exists  a  win32  client  application  that  uses  the  same
	protocols and the same cookie  mechanism  to  connect  to  the  Business
	Objects server.
	
	Both web interface and client are vulnerable to session hijacking.
	
	2) Affected versions
	
	WebIntelligence 2.x products
	
	3) Details
	
	"WebIntelligence is the one tool that allows users to  access,  analyze,
	and  share  strategic  data  over  intranets  and  extranets  for   both
	traditional  relational  databases  and  online  analytical   processing
	(OLAP) servers."
	
	            ( http://www.businessobjects.com/products/webi/ )
	
	The WebIntelligence server assigns a cookie to each session for  purpose
	of session tracking. Whenever a user  connects  using  his/her  browser,
	he/she  receives  such  a  session  ID  cookie.   If   the   user   then
	authenticates  successfully,  the  WebIntelligence  server  marks   this
	session at server side as 'authenticated'.
	
	During the same session, the user's browser keeps  sending  this  cookie
	back to the server. This helps the server to keep track  of  the  user's
	session. As long as the session is  marked  'authenticated'  the  server
	will not prompt the user for his/her password anymore.
	
	So, if an attacker succeeds in stealing or guessing a user's session  ID
	cookie, the attacker may gain  access  to  this  user's  WebIntelligence
	session. It has been found that WebIntelligence uses  cookies  that  can
	be guessed by an attacker.
	
	As a result, the attacker can view any screen, including mail  box,  and
	perform any action the  user  can.  The  attacker  can  not  set  a  new
	password for the hijacked account as this  would  require  knowledge  of
	the current password.
	
	4) Extension
	
	The Business Objects full client is a Windows application  that  can  be
	downloaded through the WebIntelligence interface. Although it  does  not
	run in a browser, it does use the same HTTPS  protocols  for  connecting
	to the WebIntelligence server and the same session ID cookies are  used.
	Therefore, ZABO is also vulnerable to this attack.
	
	The client only product (BusinessObjects) is not at risk.

SOLUTION

	
	5) Solution
	
	Business Objects ( http://www.businessobjects.com )  has  a  hotfix  for
	this issue (Bug ID 1063161) and it is expected that  this  fix  will  be
	incorporated in Service Pack 7, expected in the early part of Q2.
	
	Business Objects advises their customers to deploy the  appropriate  CSP
	on all their servers machines. The appropriate CSPs for  SP3,  SP4,  SP5
	and SP6 can be downloaded from:
	
	http://techsupport.businessobjects.com/app/SecBulletin_120402.asp .
	
	
	6) Timeline (only relevant steps)
	
	November  2002:  Ubizen  contacted  and  provided  details  to  Business
	Objects
	
	December 2002: Received bug ID and preliminary fix  info  from  Business
	Objects January 2003: Business Objects released  security  bulletin  and
	fixes to its customers
	
	7) Credits
	
	This  vulnerability  was  discovered  by  Stijn  Durant  of   Ubizen   (
	http://www.ubizen.com ).
	
	8) Disclaimer
	
	All information, advice and statements are  provided  "AS  IS",  without
	any warranty of any kind, express or implied, including but not  limited
	to, warranties of accuracy, timeliness, non-infringement or fitness  for
	a particular purpose. Ubizen  assumes  no  liability  for  any  loss  or
	damage whatsoever (direct, indirect, consequential  or  otherwise).  The
	use of and/or reliance on any of the information, advice  or  statements
	provided will be at the sole risk of the using/relying party.
	
	Copyright (c) 2003 by Ubizen N.V. All rights reserved. Ubizen,  SIL  and
	Security Intelligence Lab are trademarks  or  registered  trademarks  of
	Ubizen N.V. All  other  trademarks  or  registered  trademarks  are  the
	property of their respective owners.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH