Business Objects WebIntelligence 2.7.0 through 2.7.4 only enforces access controls on the client, which allows remote authenticated users to delete arbitrary files on the server via a crafted delete request using the InfoView web client.
Business Objects WebIntelligence versions 2.7.0 through 2.7.4 are vulnerable to a critical file deletion vulnerability. This allows authenticated attackers to remotely delete arbitrary files on the server, potentially leading to denial of service or complete system compromise. Successful exploitation requires only authenticated access to the InfoView web client.
Step 1: Authentication: The attacker successfully authenticates to the Business Objects WebIntelligence InfoView web client using valid credentials.
Step 2: Request Crafting: The attacker crafts a malicious HTTP DELETE request. This request targets the file deletion functionality within the InfoView client.
Step 3: Payload Injection: The crafted request includes parameters specifying the target file path on the server that the attacker wishes to delete. The attacker can specify any file the WebIntelligence service account has access to.
Step 4: Request Submission: The attacker submits the crafted DELETE request to the vulnerable WebIntelligence server.
Step 5: Server-Side Execution: The server, lacking proper authorization checks, processes the DELETE request and attempts to delete the specified file.
Step 6: File Deletion: The server successfully deletes the target file, resulting in a potential denial of service or further system compromise depending on the deleted file.
The vulnerability stems from a flawed implementation of access controls within the WebIntelligence application. Specifically, the application relies on client-side enforcement of file access permissions. This means the server trusts the client's requests regarding file deletion, without proper server-side validation. An attacker can craft a malicious delete request through the InfoView web client, bypassing the client-side checks and instructing the server to delete any file accessible to the WebIntelligence service account. The root cause is a lack of server-side authorization checks on file deletion requests, leading to an insecure direct object reference vulnerability.