Creating reports and dashboards | Stimulsoft community forum

Reporting tool and data analytics tools for creating reports and dashboards in ASP.NET, ASP.NET MVC, .NET Core, Blazor, Angular, PHP, Python, WPF, JavaScript, and Java applications.
https://forum.stimulsoft.com/

Security issue with .NET code execution on server

https://forum.stimulsoft.com/viewtopic.php?t=61468

Page 1 of 1

Security issue with .NET code execution on server

Posted: Thu Nov 30, 2023 8:06 am
by olegtr
Hi,
We're using Reports.NET. We compile and render reports within our backend server running as Windows Service.
Our security engineers managed to embed malicious code within the code of a report and get access to the server from outside.

Here is the simplest example of a malicious code that can access the local file system on the server.

Code: Select all

namespace Reports
{
    public class Report : Stimulsoft.Report.StiReport
    {
        public Report()        {
            	this.InitializeComponent();
			
		string filePath = "c:/report.txt";
		string fileContent = "This is sample content.";
		File.WriteAllText(filePath, fileContent); 
        }

        #region StiReport Designer generated code - do not modify
	#endregion StiReport Designer generated code - do not modify
    }
}
The above code is executed when we're compiling the report using StiReport.Compile();
Basically, you can run any code that can do very bad stuff on the server, including starting a reverse shell.

Is there anything that could be done to limit the report's code so that it would not be able to access any local computer resources?

I tried setting "Stimulsoft.Report.StiOptions.Engine.FullTrust = false;" before the report's compilation but the "StiReport.Compile();" just stopped compiling any report, even w/o any malicious code, no errors, just no compiled report prepared.

Any help would be appreciated.

Re: Security issue with .NET code execution on server

Posted: Fri Dec 01, 2023 1:27 am
by Lech Kulikowski
Hello,

You can set the CalculationMode property of the report to Interpretation to avoid using any code in the report.

Thank you.

Re: Security issue with .NET code execution on server

Posted: Sun Dec 03, 2023 11:17 am
by olegtr
Thanks, Lech.

Using the Interpretation calculation mode indeed does not run the C# code anymore. That's great but there are issues now with groupings and conditions.
For example, a simple use of {Count()} expression in a Group Header Band stopped working.

We're using Reports.NET 2014.2 version.

Appreciate your help.

Re: Security issue with .NET code execution on server

Posted: Mon Dec 04, 2023 11:59 pm
by Lech Kulikowski
Hello,

Please check the last release build. In the 2014.x.x version, the Interpretation mode was relatively new.

Thank you.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited