SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Generic)  >   Crystal Reports Vendors:   Business Objects
Crystal Reports Input Validation Flaws Let Remote Users View and Delete Files and Deny Service
SecurityTracker Alert ID:  1010035
SecurityTracker URL:  http://securitytracker.com/id/1010035
CVE Reference:   CAN-2004-0204   (Links to External Site)
Updated:  Jun 8 2004
Original Entry Date:  May 3 2004
Impact:   Denial of service via network, Disclosure of system information, Disclosure of user information, Modification of system information, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): Crystal Reports and Crystal Enterprise; Versions 9, 10
Description:   Several vunerabilities were reported in Crystal Reports and Crystal Enterprise. A remote user can view and delete arbitrary files on the target system. A remote user can also consume disk space on the target system.

Ofer Maor from Imperva reported that the crystalimagehandler.aspx, crystalimagehandler.asp, and crystalimagehandler.jsp scripts do not properly validate user-supplied image names in the 'dynamicimage' parameter. As a result, a remote user can supply a specially crafted parameter to view files on the target system.

Some demonstration exploit URLs are provided:

http://[target]/crystalreportviewers/crystalimagehandler.aspx?dynamicimage=..\win.ini

http://[target]/crystalreportviewers/crystalimagehandler.aspx?dynamicimage=..\..\boot.ini

After the file is delivered, the file is deleted.

It is also reported that a remote user can repeatedly invoke the report generation modules without retrieving the related images to cause the report engine to consume excessive disk space in the image file folder. A remote user can consume all available disk space, the report said.

A demonstration exploit URL is provided:

http://[target]/crystalreportviewers/crystalimagehandler.aspx?dynamicimage=..\..\..\..\..\mydocuments\private\passwords.txt

The vendor was reportedly notified on April 26, 2004.

Impact:   A remote user can view and delete arbitrary files on the target system.

A remote user can consume disk space on the target system.

Solution:   The vendor has issued a fix, described at:

http://support.businessobjects.com/fix/hot/critical/bulletins/security_bulletin_june04.asp

This vulnerability also affects products from other vendors, as Crystal Reports is included in several products from other vendors. Affected products include Microsoft Visual Studio .NET 2003, Microsoft Business Solutions CRM, Borland J Builder, BEA WebLogic, and Crystal Reports for Borland C# Builder.

Vendor URL:  support.businessobjects.com/fix/hot/critical/bulletins/security_bulletin_june04.asp (Links to External Site)
Cause:   Input validation error, Resource error
Underlying OS:   Linux (Any), UNIX (AIX), UNIX (Solaris - SunOS), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jun 8 2004 (Microsoft Issues Fix for Visual Studio .NET) Crystal Reports Input Validation Flaws Let Remote Users View and Delete Files and Deny Service
Microsoft has issued a fix for Visual Studio .NET, which is affected by this vulnerability.
Jun 8 2004 (Microsoft Issues Fix for Outlook 2003) Crystal Reports Input Validation Flaws Let Remote Users View and Delete Files and Deny Service
Microsoft Outlook 2003 is affected when used with the Business Contact Manager. A fix is available as part of MS04-017.
Jun 8 2004 (Microsoft Issues Fix for Business Solutions CRM) Crystal Reports Input Validation Flaws Let Remote Users View and Delete Files and Deny Service
Microsoft Business Solutions CRM is affected. A fix is available as part of MS04-017.
Jun 29 2004 (BEA WebLogic is Affected) Crystal Reports Input Validation Flaws Let Remote Users View and Delete Files and Deny Service
BEA indicates that WebLogic Workshop 8.1 customers should upgrade.



 Source Message Contents

Date:  Sun, 2 May 2004 10:28:21 +0200
Subject:  Crystal Reports Vulnerabilities


Dear List,

Imperva(tm)'s Application Defense Center has discovered several
vulnerabilities in BusinessObject's Crystal Reports' Web Interface.
These vulnerabilities allow a potential hacker to retrieve and delete
any file from the file system of the server on which it runs, as well as
causing a complete denial of service to the server.

In the past week, we have attempted to contact BusinessObjects in order
to provide them the details of the vulnerability, so that a patch can be
issued by them to solve the problem. Since we were unable to find any
security-specific contact, we have attempted to notify them through all
known support email addresses, the support contact form on their site,
and several standard email addresses, such as info, support, security,
etc.

Sadly, none of these attempts has succeeded. We therefore send it in
here, hoping this list is read by anyone related to BusinessObjects or
by anyone who knows how to contact their security related staff. Any
assistance in contacting the right person would be appreciated.

Sincerely,

---
Ofer Maor
Application Defense Center Manager
Imperva(tm) Inc.
http://www.imperva.com/adc/

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC