exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Microsoft Report Viewer Cross Site Scripting

Microsoft Report Viewer Cross Site Scripting
Posted Aug 25, 2011
Authored by Adam Bixby | Site gdssecurity.com

Microsoft Report Viewer controls suffer from a cross site scripting vulnerability. Microsoft Report Viewer Redistributable 2005 SP1 and Microsoft Visual Studio 2005 Service Pack 1 are affected.

tags | exploit, xss
advisories | CVE-2011-1976
SHA-256 | 4d9788bddcd51301180727fdb8f1bfb7d0282f2267bc50035868014db7f5b3e7

Microsoft Report Viewer Cross Site Scripting

Change Mirror Download
==================================================
Cross-Site Scripting (XSS) in Microsoft ReportViewer Controls
Adam Bixby - Gotham Digital Science (labs@gdssecurity.com)
Public Release Date: 8/9/2011
Confirmed Affected Software: Microsoft Report Viewer Redistributable 2005 SP1 and Microsoft Visual Studio 2005 Service Pack 1
Browser used for testing: IE8 (8.0.7601.17514)
Severity: High
MS Bulletin: MS11-067 - http://www.microsoft.com/technet/security/Bulletin/MS11-067.mspx
CVE: CVE-2011-1976

==================================================
1. Summary
==================================================
The Microsoft ReportViewer Controls are a freely redistributable control that enables embedding reports in applications developed using the .NET Framework. A Cross-Site Scripting (XSS) vulnerability was found in the Microsoft.ReportViewer.WebForms.dll. The XSS vulnerability appears to affect all websites that utilize the affected controls.

==================================================
2. Technical Details
==================================================
File: Microsoft.ReportViewer.WebForms.dll (PerformOperation() method of the SessionKeepAliveOperation class)
1) User controllable data enters via the "TimerMethod" URL parameter value and is assigned to the "andEnsureParam" string variable.

string andEnsureParam = HandlerOperation.GetAndEnsureParam(urlQuery, "TimerMethod");

2) The "andEnsureParam" variable with user-controllable input is then passed into the "s" string variable which is dynamically building a javascript block. The "s" variable is then passed to response.write(). Writing the un-validated data to the JS block creates the XSS exposure.

string s = string.Format(CultureInfo.InvariantCulture, "<html><body><script type=\"text/javascript\">parent.{0}();</script></body></html>", new object[] { andEnsureParam });
response.Write(s);

==================================================
3. Proof-of-Concept Exploit
==================================================
This vulnerability can be exploited against websites that have deployed the vulnerable Microsoft.ReportViewer.WebForms.dll. You will note that since the data is being written into an existing Javascript block that the attacker does not need to include any opening or closing tags (i.e.,<img>, <script>, etc) to execute code.

Reproduction Request:
https://test.com/Reserved.ReportViewerWebControl.axd?Mode=true&ReportID=<arbitraryIDvalue>&ControlID=<validControlID>&Culture=1033&UICulture=1033&ReportStack=1&OpType=SessionKeepAlive&TimerMethod=KeepAliveMethodctl00_PlaceHolderMain_SiteTopUsersByHits_ctl00TouchSession0;alert(document.cookie);//&CacheSeed=

(Note: During testing of this issue, it appeard as though a valid ControlID parameter value was needed to exploit this issue)

==================================================
4. Recommendation
==================================================
Update to the latest versions. For more information please see http://www.microsoft.com/technet/security/Bulletin/MS11-067.mspx

==================================================
5. About Gotham Digital Science
==================================================
Gotham Digital Science (GDS) is an information security consulting firm that works with clients to identify, prevent, and manage security risks. For more information on GDS, please contact info@gdssecurity.com or visit http://www.gdssecurity.com.
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close