(BEA WebLogic is Affected) Crystal Reports Input Validation Flaws Let Remote Users View and Delete Files and Deny Service
|
|
SecurityTracker Alert ID: 1010604
|
|
SecurityTracker URL: http://securitytracker.com/id?1010604
|
|
CVE Reference: CAN-2004-0204
(Links to External Site)
|
Date: Jun 29 2004
|
Impact: Denial of service via network, Disclosure of system information, Disclosure of user information, Modification of system information, Modification of user information
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): WebLogic Workshop 8.1
|
Description: Several vunerabilities were reported in Crystal Reports and Crystal Enterprise. A remote user can view and delete arbitrary files
on the target system. A remote user can also consume disk space on the target system. BEA's WebLogic 8.1 includes Crystal Reports
and, therefore, is affected.
Ofer Maor from Imperva reported that the crystalimagehandler.aspx, crystalimagehandler.asp, and crystalimagehandler.jsp scripts do
not properly validate user-supplied image names in the 'dynamicimage' parameter. As a result, a remote user can supply a specially
crafted parameter to view files on the target system.
Some demonstration exploit URLs are provided:
http://[target]/crystalreportviewers/crystalimagehandler.aspx?dy
namicimage=..\win.ini
http://[target]/crystalreportviewers/crystalimagehandler.aspx?dynamicimage=..\..\boot.ini
After the
file is delivered, the file is deleted.
It is also reported that a remote user can repeatedly invoke the report generation modules
without retrieving the related images to cause the report engine to consume excessive disk space in the image file folder. A remote
user can consume all available disk space, the report said.
A demonstration exploit URL is provided:
http://[target]/crystalreportviewers/crystalimagehandler.aspx?d
ynamicimage=..\..\..\..\..\mydocuments\private\passwords.txt
The vendor was reportedly notified on April 26, 2004.
|
Impact: A remote user can view and delete arbitrary files on the target system.
A remote user can consume disk space on the target system.
|
Solution: Crystal Reports for BEA WebLogic Workshop 8.1 is vulnerable. A patch is available at:
http://support.businessobjects.com/fix/hot/critical/bulletins/security_bulletin_june04.asp
|
Vendor URL: dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_63.00.jsp (Links to External Site)
|
Cause: Input validation error, Resource error
|
Underlying OS: Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), UNIX (Tru64), Windows (NT), Windows (2000)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Mon, 28 Jun 2004 23:23:57 -0400
Subject: http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_63.00.jsp
|
http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_63.00.jsp
> Security Advisory: (BEA04-63.00)
>
> From: BEA Systems Inc.
>
> Minor Subject: Patch available to prevent arbitrary file access and possible disk
> space exhaustion
>
> Product(s) Affected: Crystal Reports as bundled with WebLogic Platform
>
> Threat level: High – Any user with access to the application can exploit this
> vulnerability
>
> Severity: High – The user can gain access to the server’s disk drive(s) or cause
> WebLogic Platform to crash
BEA Systems reported that WebLogic Platform 8.1 includes Crystal Reports and, therefore,
is affected by the recently reported vulnerability in Crystal Reports.
Crystal Reports for BEA WebLogic Workshop 8.1 is vulnerable. A patch is available at:
http://support.businessobjects.com/fix/hot/critical/bulletins/security_bulletin_june04.asp
|
|
