|[birt-dev] Eclipse BIRT Security Bulletin: Web Viewer Example Security|
Eclipse BIRT Security Bulletin: Web Viewer Example Security
Background and Summary
The Eclipse BIRT project provides a Web Viewer Example that illustrates one mechanism for integrating BIRT content into a web application. The Web Viewer Example is a small web application that shows how to both generate and view BIRT content from within an application server. It is intended only as example code and provides capabilities including parameter handling and page navigation.
A specific capability provided is the ability to “run” a BIRT design (.rptdesign) located in an arbitrary location accessible via the file system, HTTP or FTP.
We expect that most developers would use the Web Viewer Example as an example and modify it for their particular needs, including addressing any security requirements for their application. However, a member of the BIRT community has identified a potential security vulnerability with the Web Viewer Example and this bulletin is intended to alert the rest of the community to the issue in case it applies to their usage of the sample code.
This vulnerability is only accessible if the application server allows outbound HTTP or FTP requests initiated from an application running in the server and if the URL parameter has been exposed as part of the application.
Recommendation and Resolution
There are three recommendations for mitigating this vulnerability:
· Ensure the application server hosting the Web Viewer Example and/or the network infrastructure does not permit outbound HTTP or FTP requests initiated from within the Web Viewer Example application.
· Modify the Web Viewer Example source code to disable or restrict the feature that allows URL based access to BIRT designs. The Web Viewer Example is intended as an example and all source code is provided. Suggested changes are referenced in Bugzilla 336767. These provide additional control of the URL based access to BIRT designs and enable the feature to be disabled or restricted to only allow designs to be accessed from a known domain
· Upgrade to BIRT 2.6.2 or later (when available) that incorporates the changes referenced in Bugzilla 336767 to easily disable or restrict URL based access to BIRT designs, with the default being to restrict access to designs located on the current domain only.
For details, see Bugzilla 336767.