Now-patched expression injection flaw opened the door to numerous exploits
A vulnerability impacting a trio of software products made by Qlik, a data analytics platform, could allow an attacker to read users’ local files via WebSockets.
The flaw (CVE-2019-11628), an expression injection vulnerability, was discovered in Qlik Sense Enterprise, QlikView Server, and Qlik Analytics Platform, reports Trustwave SpiderLabs.
According to the security firm, execution of the expression could lead to server-side request forgery (SSRF), arbitrary file read, and unauthorized information disclosure.
An attacker can exploit this by crafting a WebSocket request using JavaScript.
The script connects to the application and sends the message with the payload to read the C:/ProgramData/foo/readme.txt file on the server, SpiderLabs explained.
This exposes the file contents to the malicious actor.
“By changing the payload variable, it’s possible to read all other files as well as some system information such as computer name, OS user, document path, etc,” SpiderLabs’ security advisory reads.
After being alerted to the vulnerabilities back in March, Qlik took less than a month to roll out security updates for all potentially impacted services.
Users are advised to refer to the company’s support page to ensure they are running the latest (patched) versions of Qlik Sense Enterprise, QlikView Server, and Qlik Analytics Platform.