Friday, August 19, 2011 At 12:54PM
Lost amongst the numerous issues patched during this month’s Patch Tuesday was a bug I found in Microsoft’s ReportViewer 2005 Web Controls. While the issue was really just a vanilla XSS, the surprising thing was that it was in a product that has been out for 6 years and hasn’t been found or patched in that time. You mean to tell me nobody’s ever fuzzed that request!? We’re not talking about a complex memory corruption bug here! Anyway, the technical details and a walkthrough of the bug can be found below.
The Microsoft ReportViewer Controls are a freely redistributable control that enables embedding reports in applications developed using the .NET Framework. A Cross-Site Scripting (XSS) vulnerability was found in the Microsoft.ReportViewer.WebForms.dll library. The XSS vulnerability appears to affect all websites that utilize the affected controls.
File: Microsoft.ReportViewer.WebForms.dll (PerformOperation() method of the SessionKeepAliveOperation class)
1) User controllable data enters via the “TimerMethod” URL parameter value and is assigned to the “andEnsureParam” string variable.
string andEnsureParam = HandlerOperation.GetAndEnsureParam (urlQuery, "TimerMethod");
https://test.com/Reserved.ReportViewerWebControl.axd?Mode=true& ReportID=<arbitraryIDvalue>&ControlID=<validControlID>& Culture=1033&UICulture=1033&ReportStack=1&OpType=SessionKeepAlive &TimerMethod=KeepAliveMethodctl00_PlaceHolderMain_ SiteTopUsersByHits_ctl00TouchSession0;alert(document.cookie); //&CacheSeed=
(Note: During testing of this issue, it appeared as though a valid ControlID parameter value was needed to exploit this issue)
Update to the latest versions. For more information please see http://www.microsoft.com/technet/security/Bulletin/MS11-067.mspx
Author: Adam Bixby
©Aon plc 2023