Potential security vulnerability in StiDropDownMenu
Posted: Mon Jul 09, 2012 2:00 pm
Hi,
We use Stimulsoft Web Reports and figured out that StiDropDownMenu has a potential security vulnerability issue.
If request URL to the page with the report viewer contains some JavaScript injections (e.g. http://some url here/report.aspx?anything','ReportViewer');alert('XSS');// ) injected code will be rendered and executed on a page.
This happens due to the implementation of Render method in StiDropDownMenu control.
“absoluteUri” is never checked and not sanitized in this code.
In a browser, this looks like this:
The “BuildMenu” code is rendered several times on page. That is why alert appears several times as it described in the scenario.
Thx.
We use Stimulsoft Web Reports and figured out that StiDropDownMenu has a potential security vulnerability issue.
If request URL to the page with the report viewer contains some JavaScript injections (e.g. http://some url here/report.aspx?anything','ReportViewer');alert('XSS');// ) injected code will be rendered and executed on a page.
This happens due to the implementation of Render method in StiDropDownMenu control.
Code: Select all
protected override void Render(HtmlTextWriter writer)
{
…
string absoluteUri = this.viewer.Page.Request.Url.AbsoluteUri;
…
writer.WriteLine(string.Concat(new object[] { "BuildMenu(toolbar", this.ID, "Menu, '", this.Width, "', '", buttonImagesPath, "', \"", postBackEventReference, "\", '", absoluteUri, "', '", this.viewer.ClientID, "');" }));
}
writer.WriteLine("</script>");
writer.WriteLine("</div>");
}In a browser, this looks like this:
Code: Select all
BuildMenu(toolbarPrintMenu, '140px', '/sitecore/shell/Themes/Standard/Reports/', "__doPostBack('ReportViewer','callbackCommand')", 'http://some url here/report.aspx?stimulreport_btnimage=Loading.gif','ReportViewer');alert('XSS');//&sti_ReportViewer_export=callbackCommand', 'ReportViewer');Thx.