Security problem in CE 10 or setup problem? 1

[kmsalt]

Security problem in CE 10

Have you noticed this or have we setup the system wrong?

I signed in to Crystal Enterprise 10 and schedule a report, in the scheduling I selected the destination to be Email (SMTP). I checked the “Set the values to be used at schedule time here:” button and add Mary’s email address to the From: box (Mary.Jones@Company.com). I then added Joan’s and Bob’s addresses in the To: box (Joan.Smith@Company.com; Robert.Brown@Company.com) and my address to the CC: box (kmsalt@Company.com) to see the message. Check to not send the report. Schedule the report, when completed, the email I got, looks as if Mary sent it.

I have not been able to gray out the from box, in your old system INFO Desktop 7.5 there was not a from box, the system mail account was used.

Can we gray out the From box in the scheduler?

An evil-minded person could have fun with this new feature/bug by sending people emails using other email accounts.

At first, I was using my account, which was an admin account. Then I tested with a test account that had scheduling and view on demand rights, and it worked.

 

[MJRBIM]

I agree with your concerns, but there is currently no way to limit the FROM address in CE-10.

 

[mdwyer]

You can modify destination.csp:

// GETTING SENDER'S ADDRESS
var saddress = Request.Form.Item("saddress");
if(saddress.Count == 0) 
{
	//if (!server_default)	Condition ignored. LC customization
	//{						Condition ignored. LC customization
		// FORM DOESN'T HAVE IT. GET IT FROM THE OBJECT
		try 
		{
			saddress = pi.SenderAddress;
			if ( saddress == "" )				// Add. LC customization
				saddress = "OEFRS@larimer.org";	// Add. LC customization
		} 
		catch (e) 
		{
			saddress = "";
		}
	//}						Condition ignored. LC customization
} 
else 
{
	// ASSIGN TO THE OBJECT
	pi.SenderAddress = saddress;
}

and (to hide the input field):

// Put all schedule options in a row element
//Response.Write("<tr><td width='30'>&nbsp</td><td class='list'>"); Drop. LC customization
Response.Write("<tr><td class='list'>"); // (only 1 <TD>) Add. LC customization
Response.Write("<table><tr><td>"); 

//Response.Write("<table align='center' width='100%' cellspacing='0'><tr><td class='schedule'>"+L_SENDERADDRESS+":&nbsp;"); Drop. LC customization
//Response.Write("</td><td class='schedule'>"); Drop. LC customization
Response.Write("<table align='center' width='100%' cellspacing='0'>"); // Add. LC customization

Response.Write("<input type='hidden' style='width:200' class='schedule' name='saddress' value=\""+Server.HTMLEncode(saddress)+ // was type='text' - LC customization
            "\" onkeydown='keydownfn(event, \"SendInfo\");'>");

//Response.Write("</td></tr>") <TR><TD> was removed above. LC customization

Note that the hard-coded From (sender) address is actually a dummy. At least for us, SMTP does not verify that it is a legitimate sender in our domain.

 

[kmsalt]

Thanks MJRBIM this is what we thought.

Mdwyer, thanks for the code. We have stayed away from editing csp pages because of all hot fixes that Business Objects releases.

How do you track the changes you make to the system and Business Object’s hot fixes that might over write your custom pages?

We considered doing some customization of the csp pages but are worried that it could turn into coding chaos.

Again, Thanks for your help.

 

[mdwyer]

Your perception is right on. I would limit csp changes to only the most important. When I began our ce9 customization, javascript and asp was brand new to me so it was a learning experience. I ended up going overboard in how much I changed, so migrating the changes to ce10 was no picnic. It was gratifying to see that crystal had incorporated several of the usability features that we felt were needed. But I'm glad we made the changes rather than paying crystal's exorbitant rates - and then have to pay again to upgrade.

We do keep the code changes documented in-line, and use Source Safe for version control, but migrating the customizations required a lot of file comparison. Several customizations did not carry over easily because of structural changes in the code.

We do not regularly apply hot fixes within a version unless there is a specific problem we need corrected. Fortunately, those we have applied have not had an impact on the csp code.