LFI in Stimulsoft Designer - CVE-2023-25260

Affected Product: Stimulsoft Designer (Web)

Affected Versions: 2023.1.3 (confirmed) 2023.1.4 (allegedly)

Fixed Version: 2023.2.1

CVE-Number: CVE-2023-25260

Severity: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)

Discovered by Ing. Simon Schönegger, BSc, MSc, Lejla Sarcevic, BSc, MSc, Dipl-Ing. Rainer Seyer, BSc

During a penetration test for a customer, the penetration testers identified that this customer was using Stimulsoft Reporting Designer (Web) 2023.1.3 as a tool to design and view specifically crafted reports for their customers. During this penetration test the researchers discovered that this version is prone to local file inclusion.

The web version of the Reporting Designer offers the possibility to use a wide variety of local files as Datasource. When selecting a file, the Reporting Designer opens a file selection dialog. However, if the user does not open this dialog and simply inputs a path like C:\windows\temp\localfile.json the software will read this file from the filesystem of the server. Which files may be read depends on the privileges of the user which is used for starting the webserver. If a client runs the webserver as a high privileged user almost all files can be read. This vulnerability can be combined with remote code execution in order to present data without rendering it in the report.

No privileges are required to execute this exploit if the reporting viewer or designer are embedded in a page which lacks authentication. Since the authentication and authorization are measurements that the person who embeds the viewer and designer must implement, the privileges that are required to exploit this vulnerability are referenced as “None”.

Proof of Concept

For this Proof of Concept, the file C:\windows\temp\lfi.json is placed on the server. This file is included in a JSON datasource. When the included file is moved to a resource, the designer is able to see the content of the file

Vendor contact timeline