This is a write-up on public disclosed CVE-2019-11776 where a Cross Site Scripting (Reflected) was found in the __format URL parameter by Vineet Pandey.
So far in my journey, I have done quite a few of Pentesterlab exercises. From these exercises, I learned how important it is to perform a practical testing of any disclosed vulnerabilities as it builds up your system administrative skills (setting up server etc.) and imagine the attack flow for any future applications that you will be testing. You can jump straight into the exploit demonstration first if that interests you more.
Install Tomcat in your machine (using the exe or zip) and go to the folder location. In this write-up, I am using Tomcat version 8.5. You will find a similar directory as below:
Navigate to the
conf folder and open the
tomcat-users.xml file (note that the password is for testing and should not be used for production). Add the following lines between the
<tomcat-users> tag as you need the credentials to login to the manager gui later on.
<user username="tomcat" password"tomcat" roles="manager-gui"/>
Download BirtViewer (any version that is <= 4.7). I am using version 4.7 for this write-up. You can look for Birt Report Engine (https://download.eclipse.org/birt/downloads/build.php?build=R-R1-4.7.0-201706222054).
After you download the zip file, you should unzip the content into a folder. In this particular folder, look for the
Copy the entire
WebViewerExample folder to Tomcat’s
webapps folder. Rename the copied folder to
Go back to the Tomcat’s
bin folder and run the startup script (in Windows, it will be
startup.bat. The resources will now be hosted under localhost:8080. Then open the following URL in your browser (http://localhost:8080/manager/html). The credential will be prompted (enter the credential that you earlier used in the
tomcat-users.xml file). You should see that birt-viewer is running.
Demonstrating the Vulnerability
After Tomcat and BIRT Viewer are configured, you should open this endpoint:
You will see a Parameter UI box appearing. In the CustomerNumber, enter 1 and then click OK. This will generate a report from
Now click on the print report button (see circled icon in the screenshot below). Choose HTML and click OK.
There will be a new Window popping out and the prompt you to print the report. Now, cancel the print action. What we are interested is the URL of this Window pop-out. Copy this URL and then close the Window.
Now, let’s check how our input is reflected in the HTML page. First, append the following payload in
From the HTML source, you can see that our appended payload is appearing in the
<script> tag. It seems like the viewer is generating the format string dynamically. If we add
abc, then the string will become
htmlabc (as seen below).
Now, let’s try to close the html string and then insert another value. You will find that we can actually break out of the format variable to call another method.
After observing this dynamic creation of string, we can insert an alert payload to confirm that XSS exists in the Birt Viewer.
Upgrade to at least version 4.8.