FastReports is vulnerable to arbitrary code execution because it compiles and runs C# code from a report template.
While the dynamic data transformation into a compiled .NET code could be acceptable if the report template and the data from data source are trusted, the advertised Online Designer demonstrates that this assumption does not hold true.
Any user may run arbitrary remote code on the server by creating a new expression or editing an existing one into, for example
Side Note: The forward slash '/' is used instead of the back slash '\' because FastReports library fails to recognize a string literal if the last character is '\'.
After the user clicks
Preview the code is executed on the server.
Arbitrary code execution on the report template processing host.
The allowed expressions should be restricted to an acceptable subset. The compiled code should be run in a sandboxed process.
This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).
You can contact the GHSL team at
firstname.lastname@example.org, please include a reference to
GHSL-2020-143 in any communication regarding this issue.