We're using Reports.NET. We compile and render reports within our backend server running as Windows Service.
Our security engineers managed to embed malicious code within the code of a report and get access to the server from outside.
Here is the simplest example of a malicious code that can access the local file system on the server.
Code: Select all
namespace Reports
{
public class Report : Stimulsoft.Report.StiReport
{
public Report() {
this.InitializeComponent();
string filePath = "c:/report.txt";
string fileContent = "This is sample content.";
File.WriteAllText(filePath, fileContent);
}
#region StiReport Designer generated code - do not modify
#endregion StiReport Designer generated code - do not modify
}
}Basically, you can run any code that can do very bad stuff on the server, including starting a reverse shell.
Is there anything that could be done to limit the report's code so that it would not be able to access any local computer resources?
I tried setting "Stimulsoft.Report.StiOptions.Engine.FullTrust = false;" before the report's compilation but the "StiReport.Compile();" just stopped compiling any report, even w/o any malicious code, no errors, just no compiled report prepared.
Any help would be appreciated.