Home page logo
/

bugtraq logo Bugtraq mailing list archives

JFreeChart - Path Disclosure vulnerability
From: Patrick Webster <patrick () osisecurity com au>
Date: Fri, 17 Jun 2011 21:15:01 +1000

JFreeChart - Path Disclosure
http://www.osisecurity.com.au/advisories/jfreechart-path-disclosure

Release Date:
17-Jun-2011

Software:
JFree.org - JFreeChart
http://www.jfree.org/

"A free Java chart library. JFreeChart supports pie charts (2D and
3D), bar charts (horizontal and vertical, regular and stacked), line
charts, scatter plots, time series charts, high-low-open-close charts,
candlestick plots, Gantt charts, combined plots, thermometers, dials
and more. JFreeChart can be used in applications, applets, servlets
and JSP."

Versions tested / affected:
JFreeChart 1.0.13 and below.

Vulnerability discovered:

Path disclosure and file existence verification.

Vulnerability impact:

Low - A malicious attacker may abuse the flaw to disclose the path to
JFreeChart. When installed within a user directory it will also
disclose the username. Can be used to bruteforce filenames to
determine existence.

Vulnerability information:

By requesting an invalid file name, the absolute path is disclosed.

Example:

http://[target]/charts?filename=blah

Recommendation:

This is an old bug which was reported
(http://sourceforge.net/tracker/index.php?func=detail&aid=2879650&group_id=15494&atid=115494),
however the package appears to no longer be maintained.

The reason for this advisory is due to enterprise software solutions
(such as Atlassian) who embed JFreeChart within their solutions and
may wish to address this internally.

Workaround:

Consider modifying the source code to prevent this:

DisplayChart.java line 116:

// Check the file exists

File file = new File(System.getProperty("java.io.tmpdir"), filename);

if (!file.exists()) {

throw new ServletException("File '" + file.getAbsolutePath()

+ "' does not exist");

}

Credit:
This vulnerability was discovered by Patrick Webster.

Disclosure timeline:
15-Oct-2009 - Discovered during audit. Notified developer via bug tracker.
17-Jun-2011 - Disclosure.

About OSI Security:

OSI Security is an independent network and computer security auditing
and consulting company based in Sydney, Australia. We provide internal
and external penetration testing, vulnerability auditing and wireless
site audits, vendor product assessments, secure network design,
forensics and risk mitigation services.

We can be found at http://www.osisecurity.com.au/


  By Date           By Thread  

Current thread:
  • JFreeChart - Path Disclosure vulnerability Patrick Webster (Jun 18)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault