Imperva Application Defense Center has discovered a vulnerability in Crystal Reports Web Viewers, allowing malicious people to disclose the content of arbitrary files or delete these.

The vulnerability is caused due to an input validation error in a module ("crystalimagehandler.aspx", "crystalimagehandler.asp", or "crystalimagehandler.jsp") when processing input passed to the "dynamicimage" parameter. This can be exploited via a specially crafted HTTP request containing a classic directory traversal character sequence.

Example:
http://[victim]/crystalreportviewers/crystalimagehandler.aspx?dynamicimage=..\..\[file]

Successful exploitation allows retrieving or deleting arbitrary files on a vulnerable system via the Crystal Reports and the Crystal Enterprise Web viewers.

It is also possible to consume large amounts of disk space and decrease performance by calling the report generation module repeatedly without retrieving related images.

The vulnerability affects the following products:
* Crystal Enterprise 8.5 Java SDK
* Crystal Enterprise RAS 8.5 for UNIX
* Crystal Reports 9
* Crystal Enterprise 9
* Crystal Reports 10
* Crystal Enterprise 10
* Crystal Reports for Borland JBuilder
* Crystal Reports for BEA WebLogic Workshop 8.1
* Crystal Reports for Borland C# Builder

Solution
Apply update.
Further details available in Customer Area

Provided and/or discovered by
Moran Surf and Amichai Shulman, Imperva Application Defense Center.

Changelog
Further details available in Customer Area

Original Advisory
http://support.businessobjects.com/fix/hot/critical/bulletins/security_bulletin_june04.asp

Deep Links
Links available in Customer Area