Major security issue with Crystal reports viewer 2

[Halfcan]

HI

We are using Crystal Reports Viewer to server our reports to users over the web. If the user uses the export button to export the report, they can open and see everything the report is made of if they are running CR.

This is BAD.

Does anyone know a way to disable the Export Report tool in Crystal Report Viewer?

Stressed,
Andy

 

[TRNCOLS]

you didn't say method being used, but can try these:

If using ASP, change in Viewer's asp page (EX: SmartViewerActiveX.asp)
<PARAM NAME=&quot;EnableExportButton&quot; VALUE=0>

In CE 8.5, try editing rights, Advanced, export Report's data button.

 

[rhinok]

This isn't an application security issue any more than it would be if you used Microsoft Word. This is a security issue specific to your company's individual data-sensitivity requirements. Heading your post 'Major security issue with Crystal Reports viewer' is both inflammatory and inaccurate.

Since the user has a development tool (Crystal Reports), by definition the user is able to open an exported report. If you wish to curtail this ability, you have a couple of options such as those mentioned by TRNCOLS above.

If you use CE 8.5, it would be easiest to manage exports through the use of advanced rights. Another possible alternative is to manage exporting through .CSP scripts.

 

[Halfcan]

ok, relax there buddy.
I as far as I know, we are using the Crystal Smart Viewer with Active X. I can't get any more specific.

I can't find anything having to with *.asp files.
Here is a line from our log file:

63.96.16.172 - - [19/Mar/2003:15:26:41 -0600] &quot;POST
/crystal/NetOutage.rpt?cmd=get_ttl&viewer=actx&vfmt=encp&ttl_info=0-5-0&PVER
SION
=3 HTTP/1.1&quot; 200 429

Can anyone tell by this line what viewer we are using?

Thanks,
Andy

 

[Halfcan]

MORE information:
We are using unmanaged reports with CE on an NT box using the asapi web connector to serve the reports on a linux running apache web server. Therefore we have no asp files. It just downloads the ActiveX Viewer to the PC.

Kens Site was helpful in determining this:

http://www.kenhamady.com/ce.html

Does anyone know how to disable the Export Report function
using this method?

Thanks,
Andy

 

[Naith]

&quot;...viewer=actx...&quot; = ActiveX

You can manage your own exporting rights at an object level through Crystal Enterprise.

Open the CMC, go to Manage Objects, select the report, click the Rights tab, and turn off the Export option.

'Major security issue with Crystal Reports viewer' averted.

Naith

 

[Halfcan]

ePortfolio
Thanks

 

[Halfcan]

OK, I've followed the path from above, and when I get to the the Right's tab, I don't see any option for turning off the Export option.

I can change the Explicit Rights, for each group of users, but that is about it.

I can't find the word export in HELP anywhere.

Is this option only in Crystal Enterprise Professional?

Thanks,
Andy

 

[bdreed35]

You can disable the exporting for all reports for the ActiveX viewer in CE from the Crystal Management Console (CMC).

1. Open the CMC
2. Go to Manage Servers
3. Open the Crystal Web Component Server (WCS)
4. At the bottom, uncheck &quot;Export the Report&quot;
5. Click the Update button on the bottom right
6. Restart the WCS

The next time you open a report through CE using the ActiveX viewer, you will not see the Export button.
~Brian

 

[bdreed35]

If you need to turn Exporting off for only certain reports, you will need to follow Naith's response:

Open the CMC, go to Manage Objects, select the report, click the Rights tab, and turn off the Export option.

Follow it, except after selecting selecting the Rights tab, look at the &quot;Access Level&quot; for the Everyone Group. If you using Unmanaged Reporting, and not specifying a log in, CE uses the Guest account, which, by default, belongs to the Everyone Group. By default, Everyone has Inherited Rights. If you open the drop down list, you can specify a preset Rights level, or choose Advanced and pick and choose the level of access you want them to have. You can try &quot;View&quot; for starters, and then give them more access if need be. ~Brian

 

[Halfcan]

I've followed your last post, unchecked it, and restarted WCS, and page server, but I am still seeing the button, and it still exports....I going to look at rights next..

 

[bdreed35]

If you can, try restarting all services. I know that you can remove this as I have removed the Refresh button from our CE server, and it is an option there as well.
~Brian

 

[Halfcan]

Ok, Now, when I open a report through ePortfolio, it asks to install a java applet, and the look is totally different.

I don't have the Export button though, so that good.

Any Idea about this new look?

Thanks alot,
Andy

 

[bdreed35]

It sounds like it is trying to use the Java viewer now. Check your preferences after you log into ePortfolio and see what viewer it is set to use.

How are your users viewing your reports, through ePortfolio or through a URL path? ~Brian

 

[Halfcan]

Through a url. and for some reason, the Administrator is the only one that gets the java viewer.

Guest still uses the other one, ActiveX I think, and
the Export Button is STill there...

The rights on guest and everybody are VIEW,
and Administrator is Full control....

 

[bdreed35]

Log on to ePortfolio as the Administrator and check the preferences. I bet is set to the Java viewer.

As far as the Export button is concerned, I will look into this further tomorrow at work, and post my findings then. Sorry, I am unable to help you get this resolved before then.
~Brian

 

[Halfcan]

Hey thanks alot,
I did find where it was set to Java veiwer,

I changed it for administrator and all is good.

My problem now is that the guest account still can export,
even thought the administrator cannot.

Little backwards..

Andy

 

[bdreed35]

Andy:

On my test server here at work I followed my steps to disable the Export button from the ActiveX viewer. After I did them, the export button was gone from the viewer.


You can disable the exporting for all reports for the ActiveX viewer in CE from the Crystal Management Console (CMC).

1. Open the CMC
2. Go to Manage Servers
3. Open the Crystal Web Component Server (WCS)
4. At the bottom, uncheck &quot;Export the Report&quot;
5. Click the Update button on the bottom right
6. Restart the WCS


I did find that you need to restart the WCS from the Crystal Configuration Manager (CCM), not the CMC. This may require that someone can get on the server and do this, or someone who has the CCM on their PC, can connect to the server running the WCS and restart it. The CMC will give you an error message if you try to restart WCS form there (Crystal Web Component Server: The server cannot be stopped or restarted while you are connected to it. ) ~Brian

 

[Halfcan]

Hi Brian,

I did everything exactly as above, and it worked. But ONLY it I log in as Administrator.
If I log in as Guest nothing has changed.

?

Andy