Crystal Reports crystalimagehandler.aspx directory traversal
| crystalreports-file-deletion (16044) |  High Risk |
Description:
Crystal Reports could allow a remote attacker to traverse directories on the system, caused by a vulnerability in Crystal Reports and Crystal Enterprise Web interface. An attacker could send a specially-crafted URL request to the crystalimagehandler.aspx script containing "dot dot" sequences in the "dynamicimag" parameter to traverse directories and view or delete arbitrary files on the system, which could result in a denial of service.
*CVSS:
| Base Score: | 7 |
| Access Vector: | Remote |
| Access Complexity: | Low |
| Authentication: | Not Required |
| Confidentiality Impact: | Partial |
| Integrity Impact: | Partial |
| Availability Impact: | Partial |
| Temporal Score: | 6.1 |
| Exploitability: | High |
| Remediation Level: | Official-Fix |
| Report Confidence: | Confirmed |
Consequences:
File Manipulation
Remedy:
For Microsoft Business Solutions CRM and Microsoft Visual Studio .NET 2003: Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS04-017. See References.
For BEA WebLogic: Upgrade the the latest version (8.1 SP3 or later), as listed in BEA Systems Inc. Security Advisory BEA04-63.00. See References.
References:
- BEA Systems Inc. Security Advisory BEA04-63.00: Patch available to prevent arbitrary file access and possible disk space exhaustion.
- BugTraq Mailing List, Sun May 02 2004 - 03:28:21 CDT : Crystal Reports Vulnerabilities.
- BugTraq Mailing List, Tue Jun 08 2004 - 10:17:41 CDT: Vulnerability: Arbitrary File Access & DoS in Crystal Reports.
- CIAC Information Bulletin O-154: Microsoft - Crystal Reports Web Viewer Information Disclosure Vulnerability.
- IBM Internet Security Systems X-Force Database: HTTP "dot dot" sequences.
- Microsoft Security Bulletin MS04-017: Vulnerability in Crystal Reports Web Form Viewer could allow Information Disclosure and Denial of Service (842689).
- BID-10260: Business Objects Crystal Reports Web Form Viewer Directory Traversal Vulnerability
- CVE-2004-0204: Directory traversal vulnerability in the web viewers for Business Objects Crystal Reports 9 and 10, and Crystal Enterprise 9 or 10, as used in Visual Studio .NET 2003 and Outlook 2003 with Business Contact Manager, Microsoft Business Solutions CRM 1.2, and other products, allows remote attackers to read and delete arbitrary files via .. sequences in the dynamicimag argument to crystalimagehandler.aspx.
- OSVDB ID: 6748: Crystal Reports/Enterprise Arbitrary File Manipulation
- SA11800: Crystal Reports and Crystal Enterprise Directory Traversal Vulnerability
Platforms Affected:
- BusinessObjects Crystal Reports
- Microsoft Business Solutions CRM 1.2
- Microsoft Outlook 2003 Business Contact Manager
- Microsoft Visual Studio 2003
- Oracle WebLogic Server 8.1 SP2
Reported:
May 02, 2004
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net
* According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall IBM be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.