We use Stimulsoft Web Reports and figured out that StiDropDownMenu has a potential security vulnerability issue.
If request URL to the page with the report viewer contains some JavaScript injections (e.g. http://some url here/report.aspx?anything','ReportViewer');alert('XSS');// ) injected code will be rendered and executed on a page.
This happens due to the implementation of Render method in StiDropDownMenu control.
Code: Select all
protected override void Render(HtmlTextWriter writer)
{
…
string absoluteUri = this.viewer.Page.Request.Url.AbsoluteUri;
…
writer.WriteLine(string.Concat(new object[] { "BuildMenu(toolbar", this.ID, "Menu, '", this.Width, "', '", buttonImagesPath, "', \"", postBackEventReference, "\", '", absoluteUri, "', '", this.viewer.ClientID, "');" }));
}
writer.WriteLine("</script>");
writer.WriteLine("</div>");
}
In a browser, this looks like this:
Code: Select all
BuildMenu(toolbarPrintMenu, '140px', '/sitecore/shell/Themes/Standard/Reports/', "__doPostBack('ReportViewer','callbackCommand')", 'http://some url here/report.aspx?stimulreport_btnimage=Loading.gif','ReportViewer');alert('XSS');//&sti_ReportViewer_export=callbackCommand', 'ReportViewer');
Thx.