Microsoft Report Viewer Cross Site Scripting

2011.08.26
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

================================================== Cross-Site Scripting (XSS) in Microsoft ReportViewer Controls Adam Bixby - Gotham Digital Science (labs@gdssecurity.com) Public Release Date: 8/9/2011 Confirmed Affected Software: Microsoft Report Viewer Redistributable 2005 SP1 and Microsoft Visual Studio 2005 Service Pack 1 Browser used for testing: IE8 (8.0.7601.17514) Severity: High MS Bulletin: MS11-067 - http://www.microsoft.com/technet/security/Bulletin/MS11-067.mspx CVE: CVE-2011-1976 ================================================== 1. Summary ================================================== The Microsoft ReportViewer Controls are a freely redistributable control that enables embedding reports in applications developed using the .NET Framework. A Cross-Site Scripting (XSS) vulnerability was found in the Microsoft.ReportViewer.WebForms.dll. The XSS vulnerability appears to affect all websites that utilize the affected controls. ================================================== 2. Technical Details ================================================== File: Microsoft.ReportViewer.WebForms.dll (PerformOperation() method of the SessionKeepAliveOperation class) 1) User controllable data enters via the "TimerMethod" URL parameter value and is assigned to the "andEnsureParam" string variable. string andEnsureParam = HandlerOperation.GetAndEnsureParam(urlQuery, "TimerMethod"); 2) The "andEnsureParam" variable with user-controllable input is then passed into the "s" string variable which is dynamically building a javascript block. The "s" variable is then passed to response.write(). Writing the un-validated data to the JS block creates the XSS exposure. string s = string.Format(CultureInfo.InvariantCulture, "&lt;html&gt;&lt;body&gt;&lt;script type=\"text/javascript\"&gt;parent.{0}();&lt;/script&gt;&lt;/body&gt;&lt;/html&gt;", new object[] { andEnsureParam }); response.Write(s); ================================================== 3. Proof-of-Concept Exploit ================================================== This vulnerability can be exploited against websites that have deployed the vulnerable Microsoft.ReportViewer.WebForms.dll. You will note that since the data is being written into an existing Javascript block that the attacker does not need to include any opening or closing tags (i.e.,<img>, <script>, etc) to execute code. Reproduction Request: https://test.com/Reserved.ReportViewerWebControl.axd?Mode=true&ReportID=&lt;arbitraryIDvalue&gt;&ControlID=&lt;validControlID&gt;&Culture=1033&UICulture=1033&ReportStack=1&OpType=SessionKeepAlive&TimerMethod=KeepAliveMethodctl00_PlaceHolderMain_SiteTopUsersByHits_ctl00TouchSession0;alert(document.cookie);//&CacheSeed= (Note: During testing of this issue, it appeard as though a valid ControlID parameter value was needed to exploit this issue) ================================================== 4. Recommendation ================================================== Update to the latest versions. For more information please see http://www.microsoft.com/technet/security/Bulletin/MS11-067.mspx ================================================== 5. About Gotham Digital Science ================================================== Gotham Digital Science (GDS) is an information security consulting firm that works with clients to identify, prevent, and manage security risks. For more information on GDS, please contact info@gdssecurity.com or visit http://www.gdssecurity.com.


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top