Crystal Reports/Enterprise Disk Space Exhaustion DoS

2004-06-08T15:03:53
ID OSVDB:6747
Type osvdb
Reporter Amichai Shulman(adc@imperva.com), Moran Surf(adc@imperva.com)
Modified 2004-06-08T15:03:53

Description

Vulnerability Description

Crystal Reports and Crystal Enterprise contain a flaw that may allow a remote denial of service. The issue is triggered when a remote user repeatedly accesses the crystalimagehandler.aspx script and requests image creation, and will result in loss of availability for the server by exhausting disk space and slowing connections.

Solution Description

Currently, there are no known workarounds or upgrades to correct this issue. However, Business Objects has released a patch to address this vulnerability.

Short Description

Crystal Reports and Crystal Enterprise contain a flaw that may allow a remote denial of service. The issue is triggered when a remote user repeatedly accesses the crystalimagehandler.aspx script and requests image creation, and will result in loss of availability for the server by exhausting disk space and slowing connections.

Manual Testing Notes

http://[victim]/crystalreportviewers/crystalimagehandler.aspx?dynamicimag e=..........\mydocuments\private\passwords.txt

References:

Vendor Specific Solution URL: http://support.businessobjects.com/fix/hot/critical/default.asp Vendor Specific Advisory URL Secunia Advisory ID:11800 Related OSVDB ID: 6748 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-06/0108.html ISS X-Force ID: 16046 CVE-2004-1981