Rule: -- Sid: 2581 -- Summary: This event is generated when an attempt is made to exploit a directory traversal associated with the Crystal Reports web viewer. -- Impact: A successful attack may allow unauthorized files to be viewed or possibly deleted. -- Detailed Information: A vulnerability exists in the Crystal Reports web viewer that may permit an attacker to view or delete unauthorized files. The is due to a failure to ensure that that a requested Crystal Report file location is in the web root directory, permitting unauthorized files to be viewed. In addition, Crystal Reports assumes that the requested report file for viewing is a temporary file and deletes it after the web version has been viewed. This problem combined with the directory traversal vulnerability may allow sensitive or valuable files to be deleted. -- Affected Systems: Crystal Reports 8.5 JAVA SDK Crystal Reports RAS 8.5 for UNIX Crystal Reports 9.0 Crystal Enterprise 9.0 Crystal Reports 10 Crystal Reports 10.0 -- Attack Scenarios: An attacker can request to view a file not in the web root directory, permitting unauthorized information disclosure. The viewed file will be deleted subsequently possibly causing harm to the server. -- Ease of Attack: Simple. -- False Positives: None known. -- False Negatives: None known. -- Corrective Action: Upgrade to the latest non-affected version of the software. -- Contributors: Sourcefire Research Team Judy Novak <judy.novak@sourcefire.com> -- Additional References CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0204 Other: http://www.microsoft.com/security/bulletins/200406_crystal.mspx --
