SecurityTracker.com Archives - Crystal Reports Input Validation Flaws Let Remote Users View and Delete Files and Deny Service

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

SecurityTracker
Archives

Sign Up

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Affiliates

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Partners

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (Generic) > Crystal Reports

Vendors: Business Objects

Crystal Reports Input Validation Flaws Let Remote Users View and Delete Files and Deny Service

SecurityTracker Alert ID: 1010035

SecurityTracker URL: http://securitytracker.com/id?1010035

CVE Reference: CAN-2004-0204 (Links to External Site)

Updated: Jun 8 2004

Original Entry Date: May 3 2004

Impact: Denial of service via network, Disclosure of system information, Disclosure of user information, Modification of system information, Modification of user information

Fix Available: Yes Exploit Included: Yes Vendor Confirmed: Yes

Version(s): Crystal Reports and Crystal Enterprise; Versions 9, 10

Description: Several vunerabilities were reported in Crystal Reports and Crystal Enterprise. A remote user can view and delete arbitrary files on the target system. A remote user can also consume disk space on the target system.

Ofer Maor from Imperva reported that the crystalimagehandler.aspx, crystalimagehandler.asp, and crystalimagehandler.jsp scripts do not properly validate user-supplied image names in the 'dynamicimage' parameter. As a result, a remote user can supply a specially crafted parameter to view files on the target system.

Some demonstration exploit URLs are provided:

http://[target]/crystalreportviewers/crystalimagehandler.aspx?dy namicimage=..\win.ini

http://[target]/crystalreportviewers/crystalimagehandler.aspx?dynamicimage=..\..\boot.ini

After the file is delivered, the file is deleted.

It is also reported that a remote user can repeatedly invoke the report generation modules without retrieving the related images to cause the report engine to consume excessive disk space in the image file folder. A remote user can consume all available disk space, the report said.

A demonstration exploit URL is provided:

http://[target]/crystalreportviewers/crystalimagehandler.aspx?d ynamicimage=..\..\..\..\..\mydocuments\private\passwords.txt

The vendor was reportedly notified on April 26, 2004.

Impact: A remote user can view and delete arbitrary files on the target system.

A remote user can consume disk space on the target system.

Solution: The vendor has issued a fix, described at:

http://support.businessobjects.com/fix/hot/critical/bulletins/security_bulletin_june04.asp

This vulnerability also affects products from other vendors, as Crystal Reports is included in several products from other vendors. Affected products include Microsoft Visual Studio .NET 2003, Microsoft Business Solutions CRM, Borland J Builder, BEA WebLogic, and Crystal Reports for Borland C# Builder.

Vendor URL: support.businessobjects.com/fix/hot/critical/bulletins/security_bulletin_june04.asp (Links to External Site)

Cause: Input validation error, Resource error

Underlying OS: Linux (Any), UNIX (AIX), UNIX (Solaris - SunOS), Windows (Any)

Reported By: "Imperva Application Defense Center" <adc@imperva.com>

Message History: This archive entry has one or more follow-up message(s) listed below.

Jun 8 2004	(Microsoft Issues Fix for Visual Studio .NET) Crystal Reports Input Validation Flaws Let Remote Users View and Delete Files and Deny Service Microsoft has issued a fix for Visual Studio .NET, which is affected by this vulnerability.
Jun 8 2004	(Microsoft Issues Fix for Outlook 2003) Crystal Reports Input Validation Flaws Let Remote Users View and Delete Files and Deny Service Microsoft Outlook 2003 is affected when used with the Business Contact Manager. A fix is available as part of MS04-017.
Jun 8 2004	(Microsoft Issues Fix for Business Solutions CRM) Crystal Reports Input Validation Flaws Let Remote Users View and Delete Files and Deny Service Microsoft Business Solutions CRM is affected. A fix is available as part of MS04-017.
Jun 29 2004	(BEA WebLogic is Affected) Crystal Reports Input Validation Flaws Let Remote Users View and Delete Files and Deny Service BEA indicates that WebLogic Workshop 8.1 customers should upgrade.

Source Message Contents

Date: Sun, 2 May 2004 10:28:21 +0200
From: "Imperva Application Defense Center" <adc@imperva.com>
Subject: Crystal Reports Vulnerabilities

 

Dear List,

Imperva(tm)'s Application Defense Center has discovered several
vulnerabilities in BusinessObject's Crystal Reports' Web Interface.
These vulnerabilities allow a potential hacker to retrieve and delete
any file from the file system of the server on which it runs, as well as
causing a complete denial of service to the server.

In the past week, we have attempted to contact BusinessObjects in order
to provide them the details of the vulnerability, so that a patch can be
issued by them to solve the problem. Since we were unable to find any
security-specific contact, we have attempted to notify them through all
known support email addresses, the support contact form on their site,
and several standard email addresses, such as info, support, security,
etc.

Sadly, none of these attempts has succeeded. We therefore send it in
here, hoping this list is read by anyone related to BusinessObjects or
by anyone who knows how to contact their security related staff. Any
assistance in contacting the right person would be appreciated.

Sincerely,

---
Ofer Maor
Application Defense Center Manager
Imperva(tm) Inc.
http://www.imperva.com/adc/

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us | Help
Copyright 2004, SecurityGlobal.net LLC