A Crystal Reports web development team has posted in the SAP forums about some security weaknesses in the .NET web deployment model. They are trying to get the attention of SAP, without success so far.
It appears that this team deployed a .NET web application using the Crytal Reports runtime engine. During a security audit they uncovered some serious vulnerabilities. It appears that they weren’t able to get the SAP support team to look at the problem because they do not have a support subscription, so they posted it to the forum as three question. From what I have read they are trying to walk the line between highlighting the seriousness of specific vulnerabilities, while not making these same vulnerabilities easier to exploit.
Those of you who do .NET web development might want to check out the following links (some of which appear to have been deleted as of 3/6).
Link 1 (131436) (deleted)
Link 2 (130250) (deleted)
Link 3 (133449)
And thanks to Ido Millet of Millet Software for pointing these posts out to me.