Reported June 08, 2004, by Microsoft

VERSIONS AFFECTED

  • Visual Studio .NET 2003
  • Microsoft Office Outlook 2003 with Business Contact Manager
  • Microsoft Business Solutions Customer Relationship Management (CRM) 1.2

DESCRIPTION
A directory traversal vulnerability exists in Crystal Reports and Crystal Enterprise from Business Objects, which could result in information disclosure and a Denial of Service (DoS). A potential attacker who successfully exploits this vulnerability could retrieve and delete files through the Crystal Reports and Crystal Enterprise Web viewers on the vulnerable system. (Visual Studio .NET 2003 and Outlook 2003 with Business Contact Manager redistribute Crystal Reports; Business Solutions CRM 1.2 redistributes Crystal Enterprise.) The number of files that this vulnerability affects depends on the security context of the affected component that the Crystal Web viewer uses. Systems can be vulnerable only if they have Microsoft Internet Information Services (IIS) installed.

VENDOR RESPONSE
Microsoft has released bulletin MS04-017, "Vulnerability in Crystal Reports Web Viewer Could Allow Information Disclosure and Denial of Service" (842689), to address this vulnerability and recommends that affected users apply the appropriate patch listed in the bulletin.

CREDIT
Discovered by Business Objects.