Skip to main content
Announcements
Have questions about Qlik Connect? Join us live on April 10th, at 11 AM ET: SIGN UP NOW

Attacker can upload a malicious file in the application with a double extension in Qlik Sense

No ratings
cancel
Showing results for 
Search instead for 
Did you mean: 
Rakesh_HB
Support
Support

Attacker can upload a malicious file in the application with a double extension in Qlik Sense

Last Update:

Nov 30, 2022 10:13:21 AM

Updated By:

Sonja_Bauernfeind

Created date:

Nov 30, 2022 10:12:05 AM

How to mitigate if an attacker uploads a malicious file in the application with a double extension in Qlik Sense?

The XML files can be used for data ingestion. By default XML is disabled, but we do provide the ability to allow list XML as a data type.

Uploading an XML with Javascript (XSS) will allow a malicious user to run code in the context of the targeted user's session.

Environment

Qlik Sense Enterprise on Windows February 2022 and previous versions.

Resolution

Add the following flag in the "C:\Program Files\Qlik\Sense\Repository\Repository.exe.conf" file,

<!-- Flag will enable to scan for script tags in the uploaded XML files through the ContentLibrary or AppContent-->
<add key="ScanXmlFileForScripts" value="true" />

Upon detecting the script within the XML file, the User will be warned that the file can not be uploaded.

File Format error.png

Or the below error based on the Qlik Sense version,

File Format error1.png

Fix Version:

Qlik Sense Enterprise on Windows May 2022.

From Qlik Sense May 2022 and onwards, The Qlik Sense Repository Service scans for script tags in XML files uploaded to AppContent or Content Library.

Cause

  • QB-1693
  • QB-8378
  • QB-11820

To allowlist XML files in Qlik Sense May 2022 and later versions, please contact the Qlik Support Team via Live chat or Submit a case!

Version history
Last update:
‎2022-11-30 10:13 AM
Updated by: