Recently, we discovered the string type parameter used in Crystal Report is open for script injection i.e., a regular expression can be sent via these string type parameters and ran against the system database directly. But this only happens when the string is used with LIKE keyword in the SQL query.
For example, the query may look like this:
SELECT ComanyName
FROM Customers
WHERE CompanName LIKE {?CompanyParameter}
We have solved this issue by eliminating the special characters in the string which may impose threat before we send the string to Crystal Report. Hope this can be done in the future in Crystal Report itself and to prevent this major security threat from happening to any of the Crystal Report users.
No comments:
Post a Comment