lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <BANLkTimPokGQLBaxJQ6Y9vzVgvv47GBLEQ@mail.gmail.com>
Date: Fri, 17 Jun 2011 21:15:01 +1000
From: Patrick Webster <patrick@...security.com.au>
To: bugtraq@...urityfocus.com
Subject: JFreeChart - Path Disclosure vulnerability


JFreeChart - Path Disclosure
http://www.osisecurity.com.au/advisories/jfreechart-path-disclosure

Release Date:
17-Jun-2011

Software:
JFree.org - JFreeChart
http://www.jfree.org/

"A free Java chart library. JFreeChart supports pie charts (2D and
3D), bar charts (horizontal and vertical, regular and stacked), line
charts, scatter plots, time series charts, high-low-open-close charts,
candlestick plots, Gantt charts, combined plots, thermometers, dials
and more. JFreeChart can be used in applications, applets, servlets
and JSP."

Versions tested / affected:
JFreeChart 1.0.13 and below.

Vulnerability discovered:

Path disclosure and file existence verification.

Vulnerability impact:

Low - A malicious attacker may abuse the flaw to disclose the path to
JFreeChart. When installed within a user directory it will also
disclose the username. Can be used to bruteforce filenames to
determine existence.

Vulnerability information:

By requesting an invalid file name, the absolute path is disclosed.

Example:

http://[target]/charts?filename=blah

Recommendation:

This is an old bug which was reported
(http://sourceforge.net/tracker/index.php?func=detail&aid=2879650&group_id=15494&atid=115494),
however the package appears to no longer be maintained.

The reason for this advisory is due to enterprise software solutions
(such as Atlassian) who embed JFreeChart within their solutions and
may wish to address this internally.

Workaround:

Consider modifying the source code to prevent this:

DisplayChart.java line 116:

// Check the file exists

File file = new File(System.getProperty("java.io.tmpdir"), filename);

if (!file.exists()) {

throw new ServletException("File '" + file.getAbsolutePath()

+ "' does not exist");

}

Credit:
This vulnerability was discovered by Patrick Webster.

Disclosure timeline:
15-Oct-2009 - Discovered during audit. Notified developer via bug tracker.
17-Jun-2011 - Disclosure.

About OSI Security:

OSI Security is an independent network and computer security auditing
and consulting company based in Sydney, Australia. We provide internal
and external penetration testing, vulnerability auditing and wireless
site audits, vendor product assessments, secure network design,
forensics and risk mitigation services.

We can be found at http://www.osisecurity.com.au/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ