Community
Participate
Working Groups
Affected URL- http://HOST:PORT/birtviewer/run?__report=TestName.rptdesign&__format=html&__overwrite=false ############################ Affected Parameter - __format=html ############################ Payload to be fired - ';alert(1)// ############################ Crafted URL - http://HOST:PORT/birtviewer/run?__report=TestName.rptdesign&__format=html';alert(1)//&__overwrite=false ############################ By sending this crafted URL to victim, Attacker can execute the payload in victim's context. You can replicate the issue by following the above mentioned steps. Do let me know if any further information required. Also, if you are able to replicate the same then can you please associate a CVE for the same. This vulnerability has been tested with below configuration: Viewer Version : 4.7.0 Engine Version: 4.7.0 JRE version: 1.8.0_152
Hi - Any updates ??
Can anyone please update on this issue?
Any updates ???
Any Progress/update??
Project team, please engage. Our process for responding to vulnerabilities (including the process by which we assign CVEs) is captured in the handbook. https://www.eclipse.org/projects/handbook/#vulnerability
Hi - Any Progress/update??
Hi - Any updates ?? It seems that vulnerability has been disclosed long back and yet to get fixed. Also your 90 days/3 months vulnerability disclosure policy is reaching its deadline. Can you please help with assigning CVE for this now. Regards!
Using crafted URL returned exception: + org.eclipse.birt.report.service.api.ReportServiceException: The output format html';alert(1)// is not supported. Tested with deployment .war file on Tomcat using BIRT OS v.4.11 (OSGI and NONOSGI) and couldn't replicate the problem in following browsers: Fire Fox, Chrome, IE - all latest versions. URL: http://localhost:8080/birt/run?__report=_1.rptdesign&__format=html';alert(1)//&__overwrite=false Log is attached.
Created attachment 279253 [details] log
I follow your steps and didn't able to replicate the issue. Please provide more details to replicated the problem.
Hi Galina - I've verified at my end. Its working well but this seems specific to parameter holding reports. https://help.eclipse.org/kepler/index.jsp?topic=%2Forg.eclipse.birt.doc%2Fbirt%2Frp-HowToCreateABasicReportParameter.html https://www.ibm.com/support/knowledgecenter/SSBSK5_7.5.0/org.eclipse.birt.doc/birt/birt-12-7.html Also your error is valid since I verified without parameter asking reports and it returns the same. In my case, user is prompted with parameter window and has to give required inputs or to choose available options, once it submits then report gets generated. Later you need to move to the "Print Report" option within BIRT report viewer, select html and get the URL. Craft the URL as mentioned in my report and it will get executed. This vulnerability has been tested with below configuration: Viewer Version : 4.7.0 Engine Version: 4.7.0 JRE version: 1.8.0_152 Also using Jetty server not the tomcat. Below are few of jars which I found after installation - eclipse-birt-org.eclipse.osgi_3.10.100.v20150529-1857.jar eclipse-birt-org.eclipse.osgi.services_3.5.0.v20150519-2006.jar Let me know if it works well with you.
Was able to replicate reported problem after received more details from submiter. Steps to reproduce: Use BIRT OS 4.11 or earlier version to see the problem Deploy .war file on Tomcat (OSGI or NONOSGI) Run the report test1.rptdesign that included parameters against Tomcat or use URL bellow to execute this report: http://localhost:8080/birt/frameset?__report=test1.rptdesign&sample=my+parameter Enter the value=10 for the second param After the report launched in Web Viewer, click Print to HTML Get this URL: http://localhost:8080/birt/output?__report=test1.rptdesign&sample=my+parameter&&__format=html&__pageoverflow=0&__overwrite=false Craft this URL by add follow: ';alert(1)// http://localhost:8080/birt/output?__report=test1.rptdesign&sample=my+parameter&&__format=html&__pageoverflow=0';alert(1)//&__overwrite=false Result: it gets executed. NOTE: the problem happened for any reports with and without parameters when Print to HTML.
Thanks Galina! Proper measures/controls to be deployed around all the query string parameters. Also can you please let me know when you're expecting to fix this and assign a CVE to the same.
A project committer may request a CVE. The process is described here: https://www.eclipse.org/projects/handbook/#vulnerability-cve
Developer was assigned and working to fix this problem.
Hi- any updates? It's been more than 90 days since reported the issue. I understand disclosure can be made public now. Regards, Vineet
> It's been more than 90 days since reported the issue. I understand > disclosure can be made public now. Agreed, so marked. I assume that the "assignee" field is correct. ShiHeng Guan, what is the status of the fix?
It is check-in and resolved: https://github.com/eclipse/birt/commit/7cb3874ec1be1a0e35d3920a1210a88b3d5393d2
Is a CVE required? If yes, the steps are described in the handbook. https://www.eclipse.org/projects/handbook/#vulnerability-cve
Can someone from project team help in assigning cve?
Will be great if project committer can help filing the CVE Or shall I go ahead and register a request on - https://cveform.mitre.org/
Not sure why the team is not responding on CVE part? And what's the harm in assigning CVE.
(In reply to Vineet Pandey from comment #22) > Not sure why the team is not responding on CVE part? > And what's the harm in assigning CVE. I think Shiheng Guan is working on it.
Request was sent to Eclipse security for CVE number
Thanks Shiheng! Is there any timeline eclipse follow for assigning the CVE.
We'll assign CVE-2019-11776. I'll start the submission process using the information from the email to security@eclipse.org (in the future, please add this information on the bug directly) -- Project: Eclipse BIRT 4.7.0 Version Affected: [1.0.0-4.7.0] CWE-79: Improper Neutralization of Input During Web Page Generation Summary: Eclipse BIRT 1.0 to 4.7, Report Viewer allows Reflected XSS in URL parameter. Attacker can execute the payload in victim's browser context. --
Submitted to the central authority. Pull request: https://github.com/CVEProject/cvelist/pull/2416 I'll update the URL field when the request is processed.
Thanks, I will do that in the future.
