Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Regarding https://userapps.support.sap.com/sap/support/knowledge/en/2997100

Go to solution
viswascope89
Discoverer

on ‎2021 Jun 28 9:29 AM

0 Likes
889

Hi friends,

Any solution available for SAP XXE vulnerbility issue reported in https://userapps.support.sap.com/sap/support/knowledge/en/2997100. We are using CRJ of Exclips version 2016.

in one of our penetration testing we found XXE vulnerability where we are able to inject XML in prptinfo and able to retrieve the server OS files.

"It can be seen that CRVCompositeViewState contains double-URL encoded JSON, where “prptinfo” key exists. This key contains XML string and this XML is prone to the XXE vulnerabilities. During the exploitation, attacker has to make sure that: • Special characters like % and & are double-URL encoded. • Quotes “ are escaped with \ character. In case of error based XXE exploitation, attacker does not need to generate any report (XML will be parsed before report-session checking). In order to exploit this is issue, attacker has to prepare a web server, where “test.dtd” file will be stored."

is this issue fixed in any of the new version?

Thanks

Viswa..

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies
TammyPowlas
SAP Mentor
SAP Mentor
‎2021 Jun 28 1:49 PM

Hi Viswa - the SAP note says this "To solve the issue please apply the Support Package referenced by this SAP Note - 2989075, or use the correction instructions that are attached to this SAP Note."

Did you apply the SAP Note or?

Accepted Solutions (1)

Accepted Solutions (1)

former_member11696
Employee
Employee
‎2021 Jun 29 9:37 PM
0 Likes

Hello, looking at the SAP note it should not affect CR for Eclipse, it's a XML issue between CR and the BOE Servers.

You can get the latest CR for Eclipse here:

https://wiki.scn.sap.com/wiki/display/BOBJ/SAP+Crystal+Reports+version+for+Eclipse+-+Downloads

If you find it is an issue then let us know and I'll have R&D look into it.

Show replies
Show replies

Answers (1)

Answers (1)

viswascope89
Discoverer
‎2021 Jun 28 3:24 PM
0 Likes

Hi Tammy

Thanks your time. Actually i don't have access to SAP Customer Login account to see the solution. Checking with my company are they have one.

Thanks

Viswa

Show replies
Show replies
Ask a Question