| [birt-dev] Eclipse BIRT Security Bulletin: Web Viewer Example Security |
Eclipse BIRT Security Bulletin: Web Viewer Example Security Background and Summary The Eclipse BIRT project provides a Web Viewer Example that illustrates one mechanism for integrating BIRT content into a web application. The Web Viewer Example is a small web application that shows how to both generate and view BIRT content from within an application server. It is intended only as example code and provides capabilities including parameter handling and page navigation. A specific capability provided is the ability to “run” a BIRT design (.rptdesign) located in an arbitrary location accessible via the file system, HTTP or FTP. We expect that most developers would use the Web Viewer Example as an example and modify it for their particular needs, including addressing any security requirements for their application. However, a member of the BIRT community has identified a potential security vulnerability with the Web Viewer Example and this bulletin is intended to alert the rest of the community to the issue in case it applies to their usage of the sample code. Vulnerability The Web Viewer Example includes the ability for a user to enter the location of the BIRT design to be executed as a parameter to the Web Viewer Example. This parameter can be a path for a design on the local file system, or a URL for HTTP or FTP access. A URL parameter could allow a malicious user to specify a BIRT design in an environment controlled by them and not part of the web application hosting the Web Viewer Example. This BIRT design could contain malicious _javascript_ code that is then executed on the server running the Web Viewer Example. This vulnerability is only accessible if the application server allows outbound HTTP or FTP requests initiated from an application running in the server and if the URL parameter has been exposed as part of the application. Recommendation and Resolution There are three recommendations for mitigating this vulnerability: · Ensure the application server hosting the Web Viewer Example and/or the network infrastructure does not permit outbound HTTP or FTP requests initiated from within the Web Viewer Example application. · Modify the Web Viewer Example source code to disable or restrict the feature that allows URL based access to BIRT designs. The Web Viewer Example is intended as an example and all source code is provided. Suggested changes are referenced in Bugzilla 336767. These provide additional control of the URL based access to BIRT designs and enable the feature to be disabled or restricted to only allow designs to be accessed from a known domain · Upgrade to BIRT 2.6.2 or later (when available) that incorporates the changes referenced in Bugzilla 336767 to easily disable or restrict URL based access to BIRT designs, with the default being to restrict access to designs located on the current domain only. For details, see Bugzilla 336767. |