OSVDB ID: 6748

Title: Business Objects Crystal Reports/Enterprise crystalimagehandler.aspx Arbitrary File Manipulation

Info

Disclosure

Jun 08, 2004

Discovery

Apr 20, 2004

Dates

Exploit

Jun 08, 2004

Solution

Unknown

Description

Crystal Reports and Crystal Enterprise contain a flaw that allows a remote attacker to access or delete files outside of the web path. The issue is due to the crystalimagehandler.aspx script not properly sanitizing user input, specifically traversal style attacks (../../) supplied via the "dynamicimage" variable.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Confidentiality, Loss of Integrity, Loss of Availability
Exploit: Exploit Public
Disclosure: OSVDB Verified, Vendor Verified
OSVDB: Web Related

Solution

Currently, there are no known workarounds or upgrades to correct this issue. However, Business Objects has released a patch to address this vulnerability.

Products

Business Objects	Crystal Enterprise	10
		9
	Crystal Reports	10
		9

References

Bugtraq ID: 10260
OVAL ID: 1157
Secunia Advisory ID: 11800
ISS X-Force ID: 16044
CVE ID: 2004-0204 (see also: NVD)
Related OSVDB ID: 6747 6748
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-06/0108.html
http://marc.theaimsgroup.com/?l=bugtraq&m=108360413811017&w=2
http://marc.theaimsgroup.com/?l=bugtraq&m=108671836127360&w=2
Vendor Specific Advisory URL: http://support.businessobjects.com/fix/hot/critical/bulletins/security_bulletin_june04.asp
Vendor Specific News/Changelog Entry: http://support.businessobjects.com/fix/hot/critical/bulletins/security_bulletin_june04.asp
Vendor Specific Solution URL: http://support.businessobjects.com/fix/hot/critical/default.asp
Other Advisory URL: http://www.microsoft.com/technet/security/bulletin/ms04-017.asp

Credit

Moran Surf - adcimperva.com - Imperva Application Defense Center
Amichai Shulman - adcimperva.com - Imperva Application Defense Center

Direct URL: http://osvdb.org/6748