Search...

MS11-067: Vulnerability in Microsoft Report Viewer Could Allow Information Disclosure (2578230)

2011-08-09T00:00:00

ID SMB_NT_MS11-067.NASL
Type nessus
Reporter This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.
Modified 2021-01-02T00:00:00

Description

The installed version of the Microsoft Report Viewer control fails to properly validate parameters within a data source, which results in a reflected (or non-persistent) cross-site scripting vulnerability.

If an attacker can trick a user into clicking on a link to a malicious server, he could inject a client-side script in the user's browser that in turn could be used to spoof content or disclose sensitive information.

                                        
                                            #
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(55797);
  script_version("1.19");
  script_cvs_date("Date: 2018/11/15 20:50:31");

  script_cve_id("CVE-2011-1976");
  script_bugtraq_id(49033);
  script_xref(name:"MSFT", value:"MS11-067");
  script_xref(name:"MSKB", value:"2548826");
  script_xref(name:"MSKB", value:"2579115");

  script_name(english:"MS11-067: Vulnerability in Microsoft Report Viewer Could Allow Information Disclosure (2578230)");
  script_summary(english:"Checks version of Microsoft.ReportViewer.WebForms.dll / ReportViewer.exe / Install.exe");

  script_set_attribute(attribute:"synopsis", value:
"The remote Windows host contains a web control that could allow
information disclosure.");
  script_set_attribute(attribute:"description", value:
"The installed version of the Microsoft Report Viewer control fails to
properly validate parameters within a data source, which results in a
reflected (or non-persistent) cross-site scripting vulnerability.

If an attacker can trick a user into clicking on a link to a malicious
server, he could inject a client-side script in the user's browser
that in turn could be used to spoof content or disclose sensitive
information.");
  script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2011/ms11-067");
  script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Microsoft Visual Studio
2005 SP1 and the Microsoft Report Viewer 2005 SP1 Redistributable
Package.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2011/08/09");
  script_set_attribute(attribute:"patch_publication_date", value:"2011/08/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2011/08/09");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:report_viewer");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:visual_studio");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows : Microsoft Bulletins");

  script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.");

  script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
  script_require_keys("SMB/MS_Bulletin_Checks/Possible");
  script_require_ports(139, 445, 'Host/patch_management_checks');

  exit(0);
}

include("smb_hotfixes_fcheck.inc");
include("smb_hotfixes.inc");
include("smb_func.inc");
include("misc_func.inc");
include("audit.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS11-067';
kbs = make_list("2548826", "2579115");
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_WARNING);


get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);

winroot = hotfix_get_systemroot();
if (!winroot) exit(1, "Can't get the system root.");


# Connect to the appropriate share.
port    =  kb_smb_transport();
login   =  kb_smb_login();
pass    =  kb_smb_password();
domain  =  kb_smb_domain();

if(! smb_session_init()) audit(AUDIT_FN_FAIL, "smb_session_init");
hcf_init = TRUE;

# Connect to remote registry.
rc = NetUseAdd(login:login, password:pass, domain:domain, share:"IPC$");
if (rc != 1)
{
  NetUseDel();
  exit(1, "Can't connect to IPC$ share.");
}

hklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);
if (isnull(hklm))
{
  NetUseDel();
  exit(1, "Can't connect to remote registry.");
}

# Detect Visual Studio 2005 installs
key = "SOFTWARE\Microsoft\VisualStudio\8.0";
key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
if (!isnull(key_h))
{
  item = RegQueryValue(handle:key_h, item:"InstallDir");
  if (!isnull(item))
  {
    vs2005_path = item[1];
    vs2005_root = ereg_replace(
      pattern:"^(.+)\\Common7\\IDE\\$", replace:"\1", string:vs2005_path,
      icase:TRUE
    );
  }
  RegCloseKey(handle:key_h);
}
RegCloseKey(handle:hklm);
NetUseDel(close:FALSE);


# Determine if we should look for the redistributable.
#
# nb: other than potentially slowing down a scan because we're trying
#     to check for a couple of files, there's no downside to flagging
#     it as installed.
redistributable_installed = FALSE;
if (report_paranoia &lt; 2)
{
  get_kb_item_or_exit("SMB/Registry/Uninstall/Enumerated");

  list = get_kb_list("SMB/Registry/HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Uninstall/*/DisplayName");
  if (!isnull(list))
  {
    foreach name (keys(list))
    {
      prod = list[name];
      if (prod && ereg(pattern:"^Microsoft Report Viewer Redistributable 2005", string:prod, icase:TRUE))
      {
        redistributable_installed = TRUE;
      }
    }
  }
}
else redistributable_installed = TRUE;




# Check files.

vuln = 0;

# - Visual Studio 2005 SP1
if (vs2005_root)
{
  path = vs2005_root + '\\SDK\\v2.0\\BootStrapper\\Packages\\ReportViewer';
  if (
    hotfix_is_vulnerable(file:"Microsoft.ReportViewer.WebForms.dll", version:"8.0.50727.5677", path:path, bulletin:bulletin, kb:'2548826') ||
    hotfix_is_vulnerable(file:"ReportViewer.exe",                    version:"2.0.50727.5677", path:path, bulletin:bulletin, kb:'2548826')
  ) vuln++;
}

# - Microsoft Report Viewer 2005 SP1 Redistributable Package
if (redistributable_installed)
{
  path = winroot + "\Microsoft.NET\Framework\v2.0.50727\Microsoft Report Viewer Redistributable 2005";
  if (
    hotfix_is_vulnerable(file:"Install.exe",                         version:"8.0.50727.5677", path:path, bulletin:bulletin, kb:'2579115') ||
    hotfix_is_vulnerable(file:"Microsoft.ReportViewer.WebForms.dll", version:"8.0.50727.5677", path:path, bulletin:bulletin, kb:'2579115')
  ) vuln++;
}


# Report a problem if a vulnerable instance was found.
if (vuln)
{
  set_kb_item(name:"www/0/XSS", value:TRUE);

  set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
  hotfix_security_warning();

  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  exit(0, "The host is not affected.");
}

JSON Vulners Source

Initial Source

{"id": "SMB_NT_MS11-067.NASL", "bulletinFamily": "scanner", "title": "MS11-067: Vulnerability in Microsoft Report Viewer Could Allow Information Disclosure (2578230)", "description": "The installed version of the Microsoft Report Viewer control fails to\nproperly validate parameters within a data source, which results in a\nreflected (or non-persistent) cross-site scripting vulnerability.\n\nIf an attacker can trick a user into clicking on a link to a malicious\nserver, he could inject a client-side script in the user's browser\nthat in turn could be used to spoof content or disclose sensitive\ninformation.", "published": "2011-08-09T00:00:00", "modified": "2021-01-02T00:00:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "href": "https://www.tenable.com/plugins/nessus/55797", "reporter": "This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.", "references": ["https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2011/ms11-067"], "cvelist": ["CVE-2011-1976"], "type": "nessus", "lastseen": "2021-01-01T05:43:33", "edition": 26, "viewCount": 87, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2011-1976"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310900299", "OPENVAS:900299"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:104453"]}, {"type": "exploitdb", "idList": ["EDB-ID:36020"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:11844", "SECURITYVULNS:DOC:26948"]}, {"type": "mskb", "idList": ["KB2578230"]}], "modified": "2021-01-01T05:43:33", "rev": 2}, "score": {"value": 4.8, "vector": "NONE", "modified": "2021-01-01T05:43:33", "rev": 2}, "vulnersScore": 4.8}, "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(55797);\n script_version(\"1.19\");\n script_cvs_date(\"Date: 2018/11/15 20:50:31\");\n\n script_cve_id(\"CVE-2011-1976\");\n script_bugtraq_id(49033);\n script_xref(name:\"MSFT\", value:\"MS11-067\");\n script_xref(name:\"MSKB\", value:\"2548826\");\n script_xref(name:\"MSKB\", value:\"2579115\");\n\n script_name(english:\"MS11-067: Vulnerability in Microsoft Report Viewer Could Allow Information Disclosure (2578230)\");\n script_summary(english:\"Checks version of Microsoft.ReportViewer.WebForms.dll / ReportViewer.exe / Install.exe\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host contains a web control that could allow\ninformation disclosure.\");\n script_set_attribute(attribute:\"description\", value:\n\"The installed version of the Microsoft Report Viewer control fails to\nproperly validate parameters within a data source, which results in a\nreflected (or non-persistent) cross-site scripting vulnerability.\n\nIf an attacker can trick a user into clicking on a link to a malicious\nserver, he could inject a client-side script in the user's browser\nthat in turn could be used to spoof content or disclose sensitive\ninformation.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2011/ms11-067\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Microsoft Visual Studio\n2005 SP1 and the Microsoft Report Viewer 2005 SP1 Redistributable\nPackage.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2011/08/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/08/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/08/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:report_viewer\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:visual_studio\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, 'Host/patch_management_checks');\n\n exit(0);\n}\n\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"audit.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS11-067';\nkbs = make_list(\"2548826\", \"2579115\");\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_WARNING);\n\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nwinroot = hotfix_get_systemroot();\nif (!winroot) exit(1, \"Can't get the system root.\");\n\n\n# Connect to the appropriate share.\nport = kb_smb_transport();\nlogin = kb_smb_login();\npass = kb_smb_password();\ndomain = kb_smb_domain();\n\nif(! smb_session_init()) audit(AUDIT_FN_FAIL, \"smb_session_init\");\nhcf_init = TRUE;\n\n# Connect to remote registry.\nrc = NetUseAdd(login:login, password:pass, domain:domain, share:\"IPC$\");\nif (rc != 1)\n{\n NetUseDel();\n exit(1, \"Can't connect to IPC$ share.\");\n}\n\nhklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);\nif (isnull(hklm))\n{\n NetUseDel();\n exit(1, \"Can't connect to remote registry.\");\n}\n\n# Detect Visual Studio 2005 installs\nkey = \"SOFTWARE\\Microsoft\\VisualStudio\\8.0\";\nkey_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);\nif (!isnull(key_h))\n{\n item = RegQueryValue(handle:key_h, item:\"InstallDir\");\n if (!isnull(item))\n {\n vs2005_path = item[1];\n vs2005_root = ereg_replace(\n pattern:\"^(.+)\\\\Common7\\\\IDE\\\\$\", replace:\"\\1\", string:vs2005_path,\n icase:TRUE\n );\n }\n RegCloseKey(handle:key_h);\n}\nRegCloseKey(handle:hklm);\nNetUseDel(close:FALSE);\n\n\n# Determine if we should look for the redistributable.\n#\n# nb: other than potentially slowing down a scan because we're trying\n# to check for a couple of files, there's no downside to flagging\n# it as installed.\nredistributable_installed = FALSE;\nif (report_paranoia < 2)\n{\n get_kb_item_or_exit(\"SMB/Registry/Uninstall/Enumerated\");\n\n list = get_kb_list(\"SMB/Registry/HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Uninstall/*/DisplayName\");\n if (!isnull(list))\n {\n foreach name (keys(list))\n {\n prod = list[name];\n if (prod && ereg(pattern:\"^Microsoft Report Viewer Redistributable 2005\", string:prod, icase:TRUE))\n {\n redistributable_installed = TRUE;\n }\n }\n }\n}\nelse redistributable_installed = TRUE;\n\n\n\n\n# Check files.\n\nvuln = 0;\n\n# - Visual Studio 2005 SP1\nif (vs2005_root)\n{\n path = vs2005_root + '\\\\SDK\\\\v2.0\\\\BootStrapper\\\\Packages\\\\ReportViewer';\n if (\n hotfix_is_vulnerable(file:\"Microsoft.ReportViewer.WebForms.dll\", version:\"8.0.50727.5677\", path:path, bulletin:bulletin, kb:'2548826') ||\n hotfix_is_vulnerable(file:\"ReportViewer.exe\", version:\"2.0.50727.5677\", path:path, bulletin:bulletin, kb:'2548826')\n ) vuln++;\n}\n\n# - Microsoft Report Viewer 2005 SP1 Redistributable Package\nif (redistributable_installed)\n{\n path = winroot + \"\\Microsoft.NET\\Framework\\v2.0.50727\\Microsoft Report Viewer Redistributable 2005\";\n if (\n hotfix_is_vulnerable(file:\"Install.exe\", version:\"8.0.50727.5677\", path:path, bulletin:bulletin, kb:'2579115') ||\n hotfix_is_vulnerable(file:\"Microsoft.ReportViewer.WebForms.dll\", version:\"8.0.50727.5677\", path:path, bulletin:bulletin, kb:'2579115')\n ) vuln++;\n}\n\n\n# Report a problem if a vulnerable instance was found.\nif (vuln)\n{\n set_kb_item(name:\"www/0/XSS\", value:TRUE);\n\n set_kb_item(name:\"SMB/Missing/\"+bulletin, value:TRUE);\n hotfix_security_warning();\n\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n exit(0, \"The host is not affected.\");\n}\n", "naslFamily": "Windows : Microsoft Bulletins", "pluginID": "55797", "cpe": ["cpe:/a:microsoft:report_viewer", "cpe:/a:microsoft:visual_studio"], "scheme": null}

{"cve": [{"lastseen": "2020-10-03T11:39:27", "description": "Cross-site scripting (XSS) vulnerability in the Report Viewer Control in Microsoft Visual Studio 2005 SP1 and Report Viewer 2005 SP1 allows remote attackers to inject arbitrary web script or HTML via a parameter in a data source, aka \"Report Viewer Controls XSS Vulnerability.\"", "edition": 3, "cvss3": {}, "published": "2011-08-10T21:55:00", "title": "CVE-2011-1976", "type": "cve", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-1976"], "modified": "2018-10-12T22:01:00", "cpe": ["cpe:/a:microsoft:visual_studio:2005", "cpe:/a:microsoft:report_viewer:2005"], "id": "CVE-2011-1976", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1976", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:microsoft:report_viewer:2005:sp1:*:*:*:*:*:*", "cpe:2.3:a:microsoft:visual_studio:2005:sp1:*:*:*:*:*:*", "cpe:2.3:a:microsoft:report_viewer:2005:sp1:redistributable_package:*:*:*:*:*"]}], "openvas": [{"lastseen": "2020-01-08T14:04:37", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-1976"], "description": "This host is missing an important security update according to\n Microsoft Bulletin MS11-067.", "modified": "2020-01-07T00:00:00", "published": "2011-08-11T00:00:00", "id": "OPENVAS:1361412562310900299", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310900299", "type": "openvas", "title": "Microsoft Report Viewer Information Disclosure Vulnerability (2578230)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Report Viewer Information Disclosure Vulnerability (2578230)\n#\n# Authors:\n# Veerendra GG <veerendragg@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2011 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.900299\");\n script_version(\"2020-01-07T09:06:32+0000\");\n script_tag(name:\"last_modification\", value:\"2020-01-07 09:06:32 +0000 (Tue, 07 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2011-08-11 06:41:03 +0200 (Thu, 11 Aug 2011)\");\n script_bugtraq_id(49033);\n script_cve_id(\"CVE-2011-1976\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_name(\"Microsoft Report Viewer Information Disclosure Vulnerability (2578230)\");\n script_xref(name:\"URL\", value:\"http://support.microsoft.com/kb/2548826\");\n script_xref(name:\"URL\", value:\"http://support.microsoft.com/kb/2579115\");\n script_xref(name:\"URL\", value:\"https://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-067\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2011 SecPod\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_ms_visual_prdts_detect.nasl\");\n script_mandatory_keys(\"Microsoft/VisualStudio/Ver\");\n script_require_ports(139, 445);\n\n script_tag(name:\"impact\", value:\"Successful exploitation will let the attacker execute arbitrary HTML and\n script code in a user's browser session in context of an affected site.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Visual Studio 2005 Service Pack 1\n\n - Microsoft Report Viewer 2005 Service Pack 1 Re-distributable Package\");\n\n script_tag(name:\"insight\", value:\"A flaw is due to an unspecified input passed to the Microsoft Report\n Viewer Control is not properly sanitised before being returned to the user.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"summary\", value:\"This host is missing an important security update according to\n Microsoft Bulletin MS11-067.\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nvisStudVer = get_kb_item(\"Microsoft/VisualStudio/Ver\");\n\nif(visStudVer && visStudVer =~ \"^8\\.\")\n{\n ## MS11-067 Hotfix check\n if((hotfix_missing(name:\"2548826\") == 1))\n {\n studioPath = registry_get_sz(key:\"SOFTWARE\\Microsoft\\VisualStudio\\8.0\", item:\"InstallDir\");\n if(studioPath){\n reportViewPath = studioPath - \"\\Common7\\IDE\\\" + \"\\ReportViewer\";\n sysVer = fetch_file_version(sysPath:reportViewPath, file_name:\"Microsoft.ReportViewer.WebForms.dll\");\n\n if(sysVer && sysVer =~ \"^8\\.\")\n {\n if(version_in_range(version:sysVer, test_version:\"8.0\", test_version2:\"8.0.50727.5676\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n }\n }\n }\n}\n\nkey = \"SOFTWARE\\Microsoft\\ReportViewer\";\nif(!registry_key_exists(key:key)){\n exit(0);\n}\n\n## MS11-067 Hotfix check\nif((hotfix_missing(name:\"2579115\") == 0)){\n exit(0);\n}\n\nkey = \"SOFTWARE\\Microsoft\\ASP.NET\\\";\nif(!registry_key_exists(key:key)){\n exit(0);\n}\n\nforeach item (registry_enum_keys(key:key))\n{\n path = registry_get_sz(key:key + item, item:\"Path\");\n if(\"\\Microsoft.NET\\Framework\" >< path)\n {\n reportViewPath = path + \"\\Microsoft Report Viewer Redistributable 2005\";\n sysVer = fetch_file_version(sysPath:reportViewPath, file_name:\"Install.res.1025.dll\");\n\n if(sysVer && sysVer =~ \"^8\\.\")\n {\n if(version_in_range(version:sysVer, test_version:\"8.0.50727\", test_version2:\"8.0.50727.5676\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n }\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2017-07-20T08:54:56", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-1976"], "description": "This host is missing an important security update according to\n Microsoft Bulletin MS11-067.", "modified": "2017-07-05T00:00:00", "published": "2011-08-11T00:00:00", "id": "OPENVAS:900299", "href": "http://plugins.openvas.org/nasl.php?oid=900299", "type": "openvas", "title": "Microsoft Report Viewer Information Disclosure Vulnerability (2578230)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: secpod_ms11-067.nasl 6532 2017-07-05 07:42:05Z cfischer $\n#\n# Microsoft Report Viewer Information Disclosure Vulnerability (2578230)\n#\n# Authors:\n# Veerendra GG <veerendragg@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2011 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_impact = \"Successful exploitation will let the attacker execute arbitrary HTML and\n script code in a user's browser session in context of an affected site.\n Impact Level: Application\";\ntag_affected = \"Microsoft Visual Studio 2005 Service Pack 1\n Microsoft Report Viewer 2005 Service Pack 1 Re-distributable Package\";\ntag_insight = \"A flaw is due to an unspecified input passed to the Microsoft Report\n Viewer Control is not properly sanitised before being returned to the user.\";\ntag_solution = \"Run Windows Update and update the listed hotfixes or download and\n update mentioned hotfixes in the advisory from the below link.\n http://www.microsoft.com/technet/security/bulletin/ms11-067.mspx\";\ntag_summary = \"This host is missing an important security update according to\n Microsoft Bulletin MS11-067.\";\n\nif(description)\n{\n script_id(900299);\n script_version(\"$Revision: 6532 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-05 09:42:05 +0200 (Wed, 05 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2011-08-11 06:41:03 +0200 (Thu, 11 Aug 2011)\");\n script_bugtraq_id(49033);\n script_cve_id(\"CVE-2011-1976\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_name(\"Microsoft Report Viewer Information Disclosure Vulnerability (2578230)\");\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/45514\");\n script_xref(name : \"URL\" , value : \"http://support.microsoft.com/kb/2548826\");\n script_xref(name : \"URL\" , value : \"http://support.microsoft.com/kb/2579115\");\n script_xref(name : \"URL\" , value : \"http://www.microsoft.com/technet/security/bulletin/ms11-067.mspx\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2011 SecPod\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_ms_visual_prdts_detect.nasl\");\n script_mandatory_keys(\"Microsoft/VisualStudio/Ver\");\n script_require_ports(139, 445);\n\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\n## Check for Visual Studio 2005 SP1\nif(egrep(pattern:\"^8\\..*\", string:get_kb_item(\"Microsoft/VisualStudio/Ver\")))\n{\n ## MS11-067 Hotfix check\n if((hotfix_missing(name:\"2548826\") == 1))\n {\n ## Get Visual Studio 2005 Path\n studioPath = registry_get_sz(key:\"SOFTWARE\\Microsoft\\VisualStudio\\8.0\",\n item:\"InstallDir\");\n if(studioPath){\n ## Construct complete path and get version\n reportViewPath = studioPath - \"\\Common7\\IDE\\\" + \"\\ReportViewer\";\n sysVer = fetch_file_version(sysPath:reportViewPath,\n file_name:\"Microsoft.ReportViewer.WebForms.dll\");\n\n if(sysVer)\n {\n ## Check version range from 8.0 <= 8.0.50727.5677\n if(version_in_range(version:sysVer, test_version:\"8.0\", test_version2:\"8.0.50727.5676\")){\n security_message(0);\n }\n }\n }\n }\n}\n\n## Check Microsoft Report Viewer 2005 Service Pack 1 Re-distributable Package\n## Check Microsoft Report Viewer Installed or not\nkey = \"SOFTWARE\\Microsoft\\ReportViewer\";\nif(!registry_key_exists(key:key)){\n exit(0);\n}\n\n## MS11-067 Hotfix check\nif((hotfix_missing(name:\"2579115\") == 0)){\n exit(0);\n}\n\n## Get the path for Microsoft Report Viewer 2005\nkey = \"SOFTWARE\\Microsoft\\ASP.NET\\\";\nif(!registry_key_exists(key:key)){\n exit(0);\n}\n\n## Get Microsoft Report Viewer Installed Path\nforeach item (registry_enum_keys(key:key))\n{\n path = registry_get_sz(key:key + item, item:\"Path\");\n if(\"\\Microsoft.NET\\Framework\" >< path)\n {\n ## Construct complete path and get version\n reportViewPath = path + \"\\Microsoft Report Viewer Redistributable 2005\";\n sysVer = fetch_file_version(sysPath:reportViewPath,\n file_name:\"Install.res.1025.dll\");\n\n if(sysVer)\n {\n ## Check version range from 8.0 <= 8.0.50727.5677\n if(version_in_range(version:sysVer, test_version:\"8.0.50727\", test_version2:\"8.0.50727.5676\"))\n {\n security_message(0);\n exit(0);\n }\n }\n }\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:15:39", "description": "", "published": "2011-08-25T00:00:00", "type": "packetstorm", "title": "Microsoft Report Viewer Cross Site Scripting", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-1976"], "modified": "2011-08-25T00:00:00", "id": "PACKETSTORM:104453", "href": "https://packetstormsecurity.com/files/104453/Microsoft-Report-Viewer-Cross-Site-Scripting.html", "sourceData": "`================================================== \nCross-Site Scripting (XSS) in Microsoft ReportViewer Controls \nAdam Bixby - Gotham Digital Science (labs@gdssecurity.com) \nPublic Release Date: 8/9/2011 \nConfirmed Affected Software: Microsoft Report Viewer Redistributable 2005 SP1 and Microsoft Visual Studio 2005 Service Pack 1 \nBrowser used for testing: IE8 (8.0.7601.17514) \nSeverity: High \nMS Bulletin: MS11-067 - http://www.microsoft.com/technet/security/Bulletin/MS11-067.mspx \nCVE: CVE-2011-1976 \n \n================================================== \n1. Summary \n================================================== \nThe Microsoft ReportViewer Controls are a freely redistributable control that enables embedding reports in applications developed using the .NET Framework. A Cross-Site Scripting (XSS) vulnerability was found in the Microsoft.ReportViewer.WebForms.dll. The XSS vulnerability appears to affect all websites that utilize the affected controls. \n \n================================================== \n2. Technical Details \n================================================== \nFile: Microsoft.ReportViewer.WebForms.dll (PerformOperation() method of the SessionKeepAliveOperation class) \n1) User controllable data enters via the \"TimerMethod\" URL parameter value and is assigned to the \"andEnsureParam\" string variable. \n \nstring andEnsureParam = HandlerOperation.GetAndEnsureParam(urlQuery, \"TimerMethod\"); \n \n2) The \"andEnsureParam\" variable with user-controllable input is then passed into the \"s\" string variable which is dynamically building a javascript block. The \"s\" variable is then passed to response.write(). Writing the un-validated data to the JS block creates the XSS exposure. \n \nstring s = string.Format(CultureInfo.InvariantCulture, \"<html><body><script type=\\\"text/javascript\\\">parent.{0}();</script></body></html>\", new object[] { andEnsureParam }); \nresponse.Write(s); \n \n================================================== \n3. Proof-of-Concept Exploit \n================================================== \nThis vulnerability can be exploited against websites that have deployed the vulnerable Microsoft.ReportViewer.WebForms.dll. You will note that since the data is being written into an existing Javascript block that the attacker does not need to include any opening or closing tags (i.e.,<img>, <script>, etc) to execute code. \n \nReproduction Request: \nhttps://test.com/Reserved.ReportViewerWebControl.axd?Mode=true&ReportID=<arbitraryIDvalue>&ControlID=<validControlID>&Culture=1033&UICulture=1033&ReportStack=1&OpType=SessionKeepAlive&TimerMethod=KeepAliveMethodctl00_PlaceHolderMain_SiteTopUsersByHits_ctl00TouchSession0;alert(document.cookie);//&CacheSeed= \n \n(Note: During testing of this issue, it appeard as though a valid ControlID parameter value was needed to exploit this issue) \n \n================================================== \n4. Recommendation \n================================================== \nUpdate to the latest versions. For more information please see http://www.microsoft.com/technet/security/Bulletin/MS11-067.mspx \n \n================================================== \n5. About Gotham Digital Science \n================================================== \nGotham Digital Science (GDS) is an information security consulting firm that works with clients to identify, prevent, and manage security risks. For more information on GDS, please contact info@gdssecurity.com or visit http://www.gdssecurity.com. \n`\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/104453/microsoftreportviewer-xss.txt"}], "exploitdb": [{"lastseen": "2016-02-04T02:31:59", "description": "Microsoft Visual Studio Report Viewer 2005 Control Multiple Cross Site Scripting Vulnerabilities. CVE-2011-1976. Remote exploit for windows platform", "published": "2011-08-09T00:00:00", "type": "exploitdb", "title": "Microsoft Visual Studio Report Viewer 2005 Control Multiple Cross Site Scripting Vulnerabilities", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-1976"], "modified": "2011-08-09T00:00:00", "id": "EDB-ID:36020", "href": "https://www.exploit-db.com/exploits/36020/", "sourceData": "source: http://www.securityfocus.com/bid/49033/info\r\n\r\nMicrosoft Visual Studio is prone to multiple cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.\r\n\r\nAn attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to spoof content or disclose sensitive information. \r\n\r\nhttps://www.example.com/Reserved.ReportViewerWebControl.axd?Mode=true&ReportID=%3CarbitraryIDvalue%3E&ControlID=%3CvalidControlID%3E&Culture=1033&UICulture=1033&ReportStack=1&OpType=SessionKeepAlive&TimerMethod=KeepAliveMethodctl00_PlaceHolderMain_SiteTopUsersByHits_ctl00TouchSession0;alert(document.cookie);//&CacheSeed= ", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/36020/"}], "securityvulns": [{"lastseen": "2018-08-31T11:10:41", "bulletinFamily": "software", "cvelist": ["CVE-2011-1976"], "description": "==================================================\r\nCross-Site Scripting (XSS) in Microsoft ReportViewer Controls \r\nAdam Bixby - Gotham Digital Science (labs@gdssecurity.com) \r\nPublic Release Date: 8/9/2011\r\nConfirmed Affected Software: Microsoft Report Viewer Redistributable 2005 SP1 and Microsoft Visual Studio 2005 Service Pack 1\r\nBrowser used for testing: IE8 (8.0.7601.17514)\r\nSeverity: High\r\nMS Bulletin: MS11-067 - http://www.microsoft.com/technet/security/Bulletin/MS11-067.mspx\r\nCVE: CVE-2011-1976\r\n\r\n==================================================\r\n1. Summary\r\n==================================================\r\nThe Microsoft ReportViewer Controls are a freely redistributable control that enables embedding reports in applications developed using the .NET Framework. A Cross-Site Scripting (XSS) vulnerability was found in the Microsoft.ReportViewer.WebForms.dll. The XSS vulnerability appears to affect all websites that utilize the affected controls.\r\n\r\n==================================================\r\n2. Technical Details\r\n==================================================\r\nFile: Microsoft.ReportViewer.WebForms.dll (PerformOperation() method of the SessionKeepAliveOperation class)\r\n1) User controllable data enters via the "TimerMethod" URL parameter value and is assigned to the "andEnsureParam" string variable.\r\n\r\nstring andEnsureParam = HandlerOperation.GetAndEnsureParam(urlQuery, "TimerMethod");\r\n\r\n2) The "andEnsureParam" variable with user-controllable input is then passed into the "s" string variable which is dynamically building a javascript block. The "s" variable is then passed to response.write(). Writing the un-validated data to the JS block creates the XSS exposure.\r\n\r\nstring s = string.Format(CultureInfo.InvariantCulture, "&lt;html&gt;&lt;body&gt;&lt;script type=\"text/javascript\"&gt;parent.{0}();&lt;/script&gt;&lt;/body&gt;&lt;/html&gt;", new object[] { andEnsureParam });\r\nresponse.Write(s);\r\n\r\n==================================================\r\n3. Proof-of-Concept Exploit\r\n==================================================\r\nThis vulnerability can be exploited against websites that have deployed the vulnerable Microsoft.ReportViewer.WebForms.dll. You will note that since the data is being written into an existing Javascript block that the attacker does not need to include any opening or closing tags (i.e.,<img>, <script>, etc) to execute code.\r\n\r\nReproduction Request:\r\nhttps://test.com/Reserved.ReportViewerWebControl.axd?Mode=true&ReportID=&lt;arbitraryIDvalue&gt;&ControlID=&lt;validControlID&gt;&Culture=1033&UICulture=1033&ReportStack=1&OpType=SessionKeepAlive&TimerMethod=KeepAliveMethodctl00_PlaceHolderMain_SiteTopUsersByHits_ctl00TouchSession0;alert(document.cookie);//&CacheSeed=\r\n\r\n(Note: During testing of this issue, it appeard as though a valid ControlID parameter value was needed to exploit this issue)\r\n\r\n==================================================\r\n4. Recommendation\r\n==================================================\r\nUpdate to the latest versions. For more information please see http://www.microsoft.com/technet/security/Bulletin/MS11-067.mspx\r\n\r\n==================================================\r\n5. About Gotham Digital Science\r\n==================================================\r\nGotham Digital Science (GDS) is an information security consulting firm that works with clients to identify, prevent, and manage security risks. For more information on GDS, please contact info@gdssecurity.com or visit http://www.gdssecurity.com.\r\n", "edition": 1, "modified": "2011-08-30T00:00:00", "published": "2011-08-30T00:00:00", "id": "SECURITYVULNS:DOC:26948", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:26948", "title": "Cross-Site Scripting (XSS) in Microsoft ReportViewer Controls", "type": "securityvulns", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-08-31T11:09:43", "bulletinFamily": "software", "cvelist": ["CVE-2011-1976"], "description": "ActiveX crossite scripting.", "edition": 1, "modified": "2011-08-30T00:00:00", "published": "2011-08-30T00:00:00", "id": "SECURITYVULNS:VULN:11844", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:11844", "title": "Microsoft Report Viewer crossite scripting", "type": "securityvulns", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "mskb": [{"lastseen": "2021-01-01T22:41:30", "bulletinFamily": "microsoft", "cvelist": ["CVE-2011-1976"], "description": "<html><body><p>Resolves security vulnerabilities that exist in Microsoft Report Viewer that could allow arbitrary code to run when a maliciously modified file is opened.</p><h2>Introduction</h2><div class=\"kb-summary-section section\">Microsoft has released security bulletin MS11-067. To view the complete security bulletin, visit one of the following Microsoft websites: <ul class=\"sbody-free_list\"><li>Home users:<br/><div class=\"indent\"><a href=\"http://www.microsoft.com/security/pc-security/bulletins/201108.aspx\" id=\"kb-link-1\" target=\"_self\">http://www.microsoft.com/security/pc-security/bulletins/201108.aspx</a></div><span class=\"text-base\">Skip the details</span>: Download the updates for your home computer or laptop from the Microsoft Update website now:<br/><div class=\"indent\"><a href=\"http://update.microsoft.com/microsoftupdate/\" id=\"kb-link-2\" target=\"_self\">http://update.microsoft.com/microsoftupdate/</a></div></li><li>IT professionals:<br/><div class=\"indent\"><a href=\"http://www.microsoft.com/technet/security/bulletin/ms11-067.mspx\" id=\"kb-link-3\" target=\"_self\">http://www.microsoft.com/technet/security/bulletin/MS11-067.mspx</a></div></li></ul><span><h3 class=\"sbody-h3\">How to obtain help and support for this security update</h3> <br/>Help installing updates: <br/><a href=\"https://support.microsoft.com/ph/6527\" id=\"kb-link-4\" target=\"_self\">Support for Microsoft Update</a><br/><br/>Security solutions for IT professionals: <br/><a href=\"http://technet.microsoft.com/security/bb980617.aspx\" id=\"kb-link-5\" target=\"_self\">TechNet Security Troubleshooting and Support</a><br/><br/>Help protect your computer that is running Windows from viruses and malware:<br/><a href=\"https://support.microsoft.com/contactus/cu_sc_virsec_master\" id=\"kb-link-6\" target=\"_self\">Virus Solution and Security Center</a><br/><br/>Local support according to your country: <br/><a href=\"https://support.microsoft.com/common/international.aspx\" id=\"kb-link-7\" target=\"_self\">International Support</a><br/><br/></span></div><h2></h2><div class=\"kb-moreinformation-section section\"><h3 class=\"sbody-h3\">More information about this security update</h3><h4 class=\"sbody-h4\">Known issues and additional information about this security update</h4>The following articles contain more information about this security update as it relates to individual product versions. The articles may contain known issue information. If this is the case, the known issue is listed under each article link.\u00a0<ul class=\"sbody-free_list\"><li><a href=\"https://support.microsoft.com/en-us/help/2548826\" id=\"kb-link-8\">2548826 </a> MS11-067: Description of the security update for Visual Studio 2005 Service Pack 1: August 9, 2011<br/><br/>The following is the known issue in security update 2548826. For more information about this known issue, see security update 2548826.<ul class=\"sbody-free_list\"><li>When you install this security update on a computer that does not have Visual Studio 2005 installed, you receive a message that states that the update is not applicable. When you close the message, you receive an error message.</li></ul></li><li><a href=\"https://support.microsoft.com/en-us/help/2579115\" id=\"kb-link-9\">2579115 </a> MS11-067: Description of the security update for Microsoft Report Viewer 2005 Service Pack 1 Redistributable Package: August 9, 2011</li></ul></div><h2></h2><div class=\"kb-moreinformation-section section\"><h4 class=\"sbody-h4\">Security update replacement information</h4>This security update does not replace a previously released security update.</div></body></html>", "edition": 3, "modified": "2019-11-06T02:28:54", "id": "KB2578230", "href": "https://support.microsoft.com/en-us/help/2578230/", "published": "2011-08-09T00:00:00", "title": "MS11-067: Vulnerability in Microsoft Report Viewer could allow information disclosure: August 9, 2011", "type": "mskb", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}]}