This Bugzilla instance closed for new bug entry. Eclipse projects now use GitHub or Eclipse GitLab. Please locate your project of interest with the Projects search tool to find the best location for that project's code and issues.
Bug 259127 - Reflected XSS in report parameter
Summary: Reflected XSS in report parameter
Status: VERIFIED FIXED
Alias: None
Product: z_Archived
Classification: Eclipse Foundation
Component: BIRT (show other bugs)
Version: unspecified   Edit
Hardware: All All
: P3 major (vote)
Target Milestone: 2.5.0   Edit
Assignee: Vincent Petry CLA
QA Contact: Maggie Shen CLA
URL:
Whiteboard: Obsolete
Keywords:
Depends on:
Blocks:
 
Reported: 2008-12-17 11:04 EST by Michele Orru CLA
Modified: 2009-03-31 06:15 EDT (History)
3 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michele Orru CLA 2008-12-17 11:04:15 EST
A Reflected XSS is present in the _report parameter: here below the modified request (that is the BIRT 2.2.1 version included in Konakart 2.2.6)

GET /birt-viewer/run?__report='"><iframe%20src=javascript:alert(666)>&r=-703171660 HTTP/1.1
Host: localhost:8780
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.18) Gecko/20081029 Firefox/2.0.0.18
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Referer: http://localhost:8780/konakartadmin/


Konakart is actually using org.eclipse.birt.core_2.2.1.r22x_v20070924, that is actually old I guess.

I don't have the time to try the exploit on newer versions, I leave this to you, even if I suppose that newer version will be vulnerable too.

Said that, I'm gonna publish it on my website http://antisnatchor.com as soon as you start to submit a patch.

Thanks

Michele Orru'
Comment 1 Vincent Petry CLA 2009-02-11 03:39:09 EST
The exception stack trace is now also HTML-encoded.
Comment 2 Maggie Shen CLA 2009-03-09 05:32:42 EDT
verified on build 2.5.0 v20090309-0630.