| VID |
21309 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The Crystal Report Web Form Viewer on the remote Web server has an Information Disclosure Vulnerability and a Denial of Service Vulnerability.
The Crystal Reports is a data reporting and publishing tool, distributed by Business Objects. Crystal Reports and Crystal Enterprise Web Viewers has an Information Disclosure Vulnerability and a Denial of Service Vulnerability, caused by incorrectly validating input before they accept certain HTTP requests. By sending a specially crafted HTTP request, a remote attacker could retrieve files or remove files through the Crystal Reports and Crystal Enterprise Web viewers, allowing for information disclosure and denial of service attacks on the affected system.
* References:
http://www.microsoft.com/technet/security/bulletin/ms04-017.asp
http://support.businessobjects.com/fix/hot/critical/bulletins/security_bulletin_june04.asp
* Platforms Affected:
Microsoft Business Solutions CRM 1.2
Microsoft Outlook 2003 BusinessConMgr
Microsoft Visual Studio .NET 2003
BEA Systems Weblogic Server 8.1, SP1, 8.1 SP2
BEA Systems WebLogic Server for Win32 8.1, SP1, SP2
Borland J Builder
Business Objects Crystal Enterprise 9.0, 10.0, Java SDK 8.5, RAS for UNIX 8.5
Business Objects Crystal Reports 9.0, 10.0 |
| Recommendation |
Apply the appropriate patch for your system, as listed in Business Objects security bulletin at http://support.businessobjects.com/fix/hot/critical/bulletins/security_bulletin_june04.asp
For Microsoft products:
Apply the appropriate patch for your system, as listed in Microsoft's security bulletin MS04-017 at http://www.microsoft.com/technet/security/bulletin/ms04-017.mspx |
| Related URL |
CVE-2004-0204 (CVE) |
| Related URL |
10260 (SecurityFocus) |
| Related URL |
16044 (ISS) |
|
