Cross-site scripting (XSS) vulnerability in birt-viewer/run in Eclipse Business Intelligence and Reporting Tools (BIRT) before 2.5.0, as used in KonaKart and other products, allows remote attackers to inject arbitrary web script or HTML via the __report parameter.
Cross-site scripting (XSS) vulnerabilities in Eclipse BIRT, a reporting tool used in various applications like KonaKart, allow attackers to inject malicious scripts into web pages. This can lead to account compromise, data theft, and website defacement by executing arbitrary code within a user's browser. Successful exploitation requires no authentication and can impact any user accessing the vulnerable report.
Step 1: Payload Delivery: The attacker crafts a malicious URL containing a JavaScript payload within the __report parameter. This payload is designed to execute arbitrary code within the context of the vulnerable website.
Step 2: Request Submission: The attacker tricks a victim into clicking the malicious URL, or the URL is embedded in a phishing email or other social engineering technique.
Step 3: Server Processing: The vulnerable BIRT application receives the HTTP request containing the malicious URL. The birt-viewer/run component processes the request, including the __report parameter.
Step 4: Vulnerable Rendering: The application directly incorporates the content of the __report parameter into the HTML response without proper sanitization or encoding.
Step 5: Browser Execution: The victim's web browser receives the HTML response, which now includes the attacker's JavaScript payload. The browser executes the injected script within the context of the vulnerable website.
Step 6: Exploitation: The injected JavaScript can perform various malicious actions, such as stealing cookies, redirecting the user to a phishing site, defacing the website, or executing other arbitrary code.
The vulnerability stems from insufficient input validation of the __report parameter within the birt-viewer/run component. The application fails to properly sanitize user-supplied data before rendering it in the web page. This allows attackers to inject malicious JavaScript code into the report, which is then executed by the victim's browser. The root cause is a lack of output encoding or input sanitization for the __report parameter, permitting the injection of HTML and JavaScript tags. Specifically, the application likely directly embeds the contents of the __report parameter into the HTML response without proper escaping, leading to the XSS vulnerability. The flaw is in the server-side code that processes the report request and generates the HTML output.