Attacker can upload a malicious file in the application with a double extension in Qlik Sense

How to mitigate if an attacker uploads a malicious file in the application with a double extension in Qlik Sense?

The XML files can be used for data ingestion. By default XML is disabled, but we do provide the ability to allow list XML as a data type.

Uploading an XML with Javascript (XSS) will allow a malicious user to run code in the context of the targeted user's session.

Environment

Qlik Sense Enterprise on Windows February 2022 and previous versions.

Resolution

Add the following flag in the "C:\Program Files\Qlik\Sense\Repository\Repository.exe.conf" file,

<!-- Flag will enable to scan for script tags in the uploaded XML files through the ContentLibrary or AppContent-->
<add key="ScanXmlFileForScripts" value="true" />

Upon detecting the script within the XML file, the User will be warned that the file can not be uploaded.

Or the below error based on the Qlik Sense version,

Fix Version:

Qlik Sense Enterprise on Windows May 2022.

• Uploading objects to content libraries
• Uploading an image to the app content folder

Cause

• QB-1693
• QB-8378
• QB-11820

To allowlist XML files in Qlik Sense May 2022 and later versions, please contact the Qlik Support Team via Live chat or Submit a case!