Poor Error Handling: Unhandled exception
Error pages containing stack traces were found on these pages:
https://reports.abc.com/Account/ForgotPassword POST parameters: __RequestVerificationToken, Email
https://reports.abc.com/Account/Login POST parameters: __RequestVerificationToken, Username, Password, RememberMe, ReturnUrl https://reports.abc.com/api/reportserver/documents/C$39cae14f81d$9809a8279f1$72d6f30af5b7ed1809a23e
Stack traces are call chains of line numbered source code that usually result from unhandled exceptions. Unhandled exceptions are circumstances in which the application has received user input that it did not expect and doesn't know how to deal with. In many cases, an attacker can leverage the conditions that cause these errors in order to gain unauthorized access to the system. Recommendations include designing and adding consistent error-handling mechanisms that are capable of handling any user input to your web application, providing meaningful detail to end-users, and preventing error messages that might provide information useful to an attacker from being displayed.
There are vulnerabilities in the Report Server related to Cross-Site Scripting.
Getting this error in the browser when trying to preview a report:
Error registering the viewer with the service. An error has occurred. Incorrect value (null) deserialized. Make sure you are using CacheStorage inside single-instance application deployment only.
A possible reason is the cache for the Report Server used for previewing reports has become corrupted. A workaround is explained in the Telerik.Reporting.Cache.CacheStorage.AddInSet NullReferenceException KB article.
It will be very convenient for the user to be able to clear the cache directly from the Report Server Manager UI.
In many cases one can't simply ask users to download an installed report builder. The reports should be buildable in a web based tool.
It seems that when you try to open two tabs in the same browser looking at different websites, the browser gets confused about the URL that is sending the request. Issue is related to CORS protocol and HTTP caches.
It sounds like something needs to be changed on the report server so that even if it gets cached it would still allow access when I switch sub domains. Or something on the viewer side to clear the cache.
The Whitelabeling option are extremely limited.
I would like to see more customization available like removing the sidebar completely, or based on user settings / roles - as well as the top title bar (where logo is).
Customizable themes would go a long way.
Being able to integrate the existing report server pages into our own website would cut down on a lot of work.
Functionality for capturing user activity like executing reports from viewers or through the Report Server Web API.
Could the 'From' email address in Preview Email functionality be self populated from the 'Mail Server' SMTP settings in configuration? This way the users do not need to a) remember the email address; and b) type it each time they are emailing a report.
Hello,
I recently upgraded our Report Server that was hosted in IIS with an HTTPS binding but after the upgrade we were unable to communicate with the server using HTTPS. We received an invalid client id error.
We updated the bindings and everything worked. However, it would be nice if we could upgrade Report Server without changing the IIS bindings.
Thank you.
Provide the option to save custom report settings in the storage and enable specific rendering device settings based on custom settings.
Example use case:
- on the Report Server - Report view, the user should have a button for report settings;
- this button will open a custom dialog that contains various inputs;
- clicking Save on the custom dialog, the save operation will be handled by the Report Server implementor and the implementor should be able to get the user input and save various settings in the Report Server storage for the selected report;
- on rendering the report through the Preview, Scheduled Task, or Data Alert, the report server engine should invoke a custom event/code that can read the storage report settings and based on them provide rendering device settings to use during the report rendering.
