[THIN] OT: Crystal Reports security patch
- From: "Tasita Ebacher" <tebacher@xxxxxxxxxx>
- To: <thin@xxxxxxxxxxxxx>
- Date: Wed, 9 Jun 2004 15:08:40 -0500
Has anyone who uses Crystal Reports installed the security patch mentioned
below? I do not have a test environment to test it on and want some input
before going through with it.
Thank you!
Tasita Ebacher
702 Communications
Data Systems Engineer
CCNA
-----Original Message-----
From: Secunia Security Advisories [mailto:sec-adv@xxxxxxxxxxx]
Sent: Tuesday, June 08, 2004 2:52 PM
To: tebacher@xxxxxxxxxx
Subject: [SA11800] Crystal Reports and Crystal Enterprise Directory
Traversal Vulnerability
TITLE:
Crystal Reports and Crystal Enterprise Directory Traversal Vulnerability
SECUNIA ADVISORY ID:
SA11800
VERIFY ADVISORY:
http://secunia.com/advisories/11800/
CRITICAL:
Moderately critical
IMPACT:
Exposure of system information, Exposure of sensitive information, DoS
WHERE:
From remote
SOFTWARE:
Crystal Reports for C#Builder
Crystal Reports for Borland JBuilder
Crystal Reports for BEA WebLogic Workshop Crystal Reports 9 Crystal
Enterprise 10 Crystal Enterprise 9 Crystal Enterprise Java SDK Crystal
Reports 10
DESCRIPTION:
Imperva Application Defense Center has discovered a vulnerability in Crystal
Reports Web Viewers, allowing malicious people to disclose the content of
arbitrary files or delete these.
The vulnerability is caused due to an input validation error when handling
HTTP requests, which can be exploited via directory traversal attacks.
Successful exploitation allows retrieving or deleting arbitrary files on a
vulnerable system via the Crystal Reports and the Crystal Enterprise Web
viewers.
The vulnerability affects the following products:
* Crystal Enterprise 8.5 Java SDK
* Crystal Enterprise RAS 8.5 for UNIX
* Crystal Reports 9
* Crystal Enterprise 9
* Crystal Reports 10
* Crystal Enterprise 10
* Crystal Reports for Borland JBuilder
* Crystal Reports for BEA WebLogic Workshop 8.1
* Crystal Reports for Borland C# Builder
SOLUTION:
Apply update.
-- Crystal Enterprise 8.5 Java SDK --
Windows:
ftp://ftp1.businessobjects.com/outgoing/ehf/CriticalUpdate/v85_critical_upda
te_win.zip
Solaris:
ftp://ftp1.businessobjects.com/outgoing/ehf/CriticalUpdate/ce85critical_upda
te_jcesol.tar.gz
AIX:
ftp://ftp1.businessobjects.com/outgoing/ehf/CriticalUpdate/ce85critical_upda
te_jceaix.tar.gz
-- Crystal Enterprise RAS 8.5 for UNIX --
Solaris:
ftp://ftp1.businessobjects.com/outgoing/ehf/CriticalUpdate/ras85critical_upd
ate_sol.tar.gz
-- Crystal Reports 9 --
Windows:
ftp://ftp1.businessobjects.com/outgoing/ehf/CriticalUpdate/v9_critical_updat
e_win.zip
-- Crystal Enterprise 9 --
Windows:
ftp://ftp1.businessobjects.com/outgoing/ehf/CriticalUpdate/v9_critical_updat
e_win.zip
-- Crystal Reports 10 --
Windows:
ftp://ftp1.businessobjects.com/outgoing/ehf/CriticalUpdate/v10_critical_upda
te_win.zip
-- Crystal Enterprise 10 --
Windows:
ftp://ftp1.businessobjects.com/outgoing/ehf/CriticalUpdate/v10_critical_upda
te_win.zip
Solaris:
ftp://ftp1.businessobjects.com/outgoing/ehf/CriticalUpdate/ce10critical_upda
te_sol.tar.gz
AIX:
ftp://ftp1.businessobjects.com/outgoing/ehf/CriticalUpdate/ce10critical_upda
te_aix.tar.gz
-- Crystal Reports for Borland JBuilder --
Windows:
ftp://ftp1.businessobjects.com/outgoing/ehf/CriticalUpdate/cr10jbuilder_crit
ical_update_win.zip
Solaris:
ftp://ftp1.businessobjects.com/outgoing/ehf/CriticalUpdate/crjbuilder10criti
cal_update_sol.tar.gz
Linux:
ftp://ftp1.businessobjects.com/outgoing/ehf/CriticalUpdate/crjbuilder10criti
cal_update_lnx.tar.gz
-- Crystal Reports for BEA WebLogic Workshop 8.1 --
Windows:
ftp://ftp1.businessobjects.com/outgoing/ehf/CriticalUpdate/bea81_critical_up
date_win.zip
Solaris:
ftp://ftp1.businessobjects.com/outgoing/ehf/CriticalUpdate/bea81_critical_up
date_unix.tar.gz
Linux:
ftp://ftp1.businessobjects.com/outgoing/ehf/CriticalUpdate/bea81_critical_up
date_unix.tar.gz
-- Crystal Reports for Borland C# Builder --
Windows:
ftp://ftp1.businessobjects.com/outgoing/ehf/CriticalUpdate/bcsharp_critical_
update_win.zip
PROVIDED AND/OR DISCOVERED BY:
Imperva Application Defense Center
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help everybody
keeping their systems up to date against the latest vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by clicking
the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only use
those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=tebacher@xxxxxxxxxx
----------------------------------------------------------------------
********************************************************
This Week's Sponsor - RTO Software / TScale What's keeping
you from getting more from your terminal servers? Did you
know, in most cases, CPU Utilization IS NOT the single
biggest constraint to scaling up?! Get this free white paper
to understand the real constraints & how to overcome them.
SAVE MONEY by scaling-up rather than buying more servers.
http://www.rtosoft.com/Enter.asp?ID=147
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
***********************************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thin.net/citrixlist.cfm
Other related posts:
- » [THIN] OT: Crystal Reports security patch
