Potential security vulnerability in StiDropDownMenu

[Sergey Marchenko]

Hi,

We use Stimulsoft Web Reports and figured out that StiDropDownMenu has a potential security vulnerability issue.
If request URL to the page with the report viewer contains some JavaScript injections (e.g. http://some url here/report.aspx?anything','ReportViewer');alert('XSS');// ) injected code will be rendered and executed on a page.

This happens due to the implementation of Render method in StiDropDownMenu control.

Code: Select all

protected override void Render(HtmlTextWriter writer)
{
…
string absoluteUri = this.viewer.Page.Request.Url.AbsoluteUri;
…
writer.WriteLine(string.Concat(new object[] { "BuildMenu(toolbar", this.ID, "Menu, '", this.Width, "', '", buttonImagesPath, "', \"", postBackEventReference, "\", '", absoluteUri, "', '", this.viewer.ClientID, "');" }));
    }
    writer.WriteLine("</script>");
    writer.WriteLine("</div>");
}

“absoluteUri” is never checked and not sanitized in this code.

In a browser, this looks like this:

Code: Select all

BuildMenu(toolbarPrintMenu, '140px', '/sitecore/shell/Themes/Standard/Reports/', "__doPostBack('ReportViewer','callbackCommand')", 'http://some url here/report.aspx?stimulreport_btnimage=Loading.gif','ReportViewer');alert('XSS');//&sti_ReportViewer_export=callbackCommand', 'ReportViewer');

The “BuildMenu” code is rendered several times on page. That is why alert appears several times as it described in the scenario.

Thx.

[Vladimir]

Hello, Sergey

Thanks for the bugreport, we have fixed this error. Update will be available in the next prerelease build this week.

Thank you.