For each of the following NPrinting vulnerabilities, can you please advise if you recognise the vulnerability and if it has been remediated and if so in which release. If not, would you please advise if/when you plan to release the fix/upgrade.
1. Spreadsheet Formula Injection
The application allows users to import report templates as spreadsheets in XLSX format, but fails to adequately sanitise the contents. By supplying spreadsheet data beginning with '=','@', '-' or '+', attackers could inject malicious formulae which will execute when the resulting file is opened. Using a maliciously crafted formula, an attacker could inject a Dynamic Data Exchange (DDE) formula that compromises the computer of anyone who views it in Microsoft Excel. This attack triggers a warning message from Excel, but users may trust that documents created using the application are safe to handle.
The application is configured to allow HTML5 Cross-Origin Resource Sharing (CORS) requests from any domain, as it returns an "Access-Control-Allow-Origin" header containing the value of the "Origin" header sent in the request. By default, web browsers implement a "same-origin" policy, meaning client-side content, such as JavaScript can only interact with the domain on which it is running. A CORS policy is used to allow fine-grained control of whether and how content on other domains can interact with the domain that publishes it. Permitting arbitrary origins to interact with the application effectively disables the same-origin policy, allowing two-way interaction by third-party websites; which could allow an attacker to proxy malicious web requests via user's web browsers, masking the origin of an attack. As the application also specifies the "Access-Control-Allow-Credentials: true" header, third-party sites may be able to carry out privileged actions and retrieve sensitive information.
3. End-of-Life JavaScript Library in Use
The application uses a third-party JavaScript library (bootstrap v3.4.1) which is no longer supported. Libraries which are no longer supported or maintained do not receive security patches. Therefore, it will not be possible to resolve vulnerabilities that are identified after the discontinuation date. There are currently no known vulnerabilities for the identified library version.
1. Not sure what you expect from excel file reports? The beauty of it is that there are formulas allowed. God forbid those are taken away. If you see problem with someone injesting malicious formula into spreadsheet then I think you have much bigger problem. Given that only people with access to create templates can create formulas your whole infrastructure would be much more compromised as you would have already traitor with much greater access working in your evironment. If someone has access to do this to the report template they can just run such injestion by themselves without the need of users opening the file. I see this as irrelevant.
cheers Lech, When applicable please mark the correct/appropriate replies as "solution" (you can mark up to 3 "solutions". Please LIKE threads if the provided solution is helpful to the problem.
When I try to logon to https://customerportal.qlik.com/ I get the error - "An error has occurred. Please contact Qlik Support using Chat Now. We appreciate your patience."
