[<prev] [next>] [day] [month] [year] [list]
Message-ID: <BANLkTimPokGQLBaxJQ6Y9vzVgvv47GBLEQ@mail.gmail.com>
Date: Fri, 17 Jun 2011 21:15:01 +1000
From: Patrick Webster <patrick@...security.com.au>
To: bugtraq@...urityfocus.com
Subject: JFreeChart - Path Disclosure vulnerability
JFreeChart - Path Disclosure
http://www.osisecurity.com.au/advisories/jfreechart-path-disclosure
Release Date:
17-Jun-2011
Software:
JFree.org - JFreeChart
http://www.jfree.org/
"A free Java chart library. JFreeChart supports pie charts (2D and
3D), bar charts (horizontal and vertical, regular and stacked), line
charts, scatter plots, time series charts, high-low-open-close charts,
candlestick plots, Gantt charts, combined plots, thermometers, dials
and more. JFreeChart can be used in applications, applets, servlets
and JSP."
Versions tested / affected:
JFreeChart 1.0.13 and below.
Vulnerability discovered:
Path disclosure and file existence verification.
Vulnerability impact:
Low - A malicious attacker may abuse the flaw to disclose the path to
JFreeChart. When installed within a user directory it will also
disclose the username. Can be used to bruteforce filenames to
determine existence.
Vulnerability information:
By requesting an invalid file name, the absolute path is disclosed.
Example:
http://[target]/charts?filename=blah
Recommendation:
This is an old bug which was reported
(http://sourceforge.net/tracker/index.php?func=detail&aid=2879650&group_id=15494&atid=115494),
however the package appears to no longer be maintained.
The reason for this advisory is due to enterprise software solutions
(such as Atlassian) who embed JFreeChart within their solutions and
may wish to address this internally.
Workaround:
Consider modifying the source code to prevent this:
DisplayChart.java line 116:
// Check the file exists
File file = new File(System.getProperty("java.io.tmpdir"), filename);
if (!file.exists()) {
throw new ServletException("File '" + file.getAbsolutePath()
+ "' does not exist");
}
Credit:
This vulnerability was discovered by Patrick Webster.
Disclosure timeline:
15-Oct-2009 - Discovered during audit. Notified developer via bug tracker.
17-Jun-2011 - Disclosure.
About OSI Security:
OSI Security is an independent network and computer security auditing
and consulting company based in Sydney, Australia. We provide internal
and external penetration testing, vulnerability auditing and wireless
site audits, vendor product assessments, secure network design,
forensics and risk mitigation services.
We can be found at http://www.osisecurity.com.au/
Powered by blists - more mailing lists