Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:26568
HistoryJun 19, 2011 - 12:00 a.m.

JFreeChart - Path Disclosure vulnerability

2011-06-1900:00:00
vulners.com
45
JSON

JFreeChart - Path Disclosure
http://www.osisecurity.com.au/advisories/jfreechart-path-disclosure

Release Date:
17-Jun-2011

Software:
JFree.org - JFreeChart
http://www.jfree.org/

"A free Java chart library. JFreeChart supports pie charts (2D and
3D), bar charts (horizontal and vertical, regular and stacked), line
charts, scatter plots, time series charts, high-low-open-close charts,
candlestick plots, Gantt charts, combined plots, thermometers, dials
and more. JFreeChart can be used in applications, applets, servlets
and JSP."

Versions tested / affected:
JFreeChart 1.0.13 and below.

Vulnerability discovered:

Path disclosure and file existence verification.

Vulnerability impact:

Low - A malicious attacker may abuse the flaw to disclose the path to
JFreeChart. When installed within a user directory it will also
disclose the username. Can be used to bruteforce filenames to
determine existence.

Vulnerability information:

By requesting an invalid file name, the absolute path is disclosed.

Example:

http://[target]/charts?filename=blah

Recommendation:

This is an old bug which was reported
(http://sourceforge.net/tracker/index.php?func=detail&aid=2879650&group_id=15494&atid=115494),
however the package appears to no longer be maintained.

The reason for this advisory is due to enterprise software solutions
(such as Atlassian) who embed JFreeChart within their solutions and
may wish to address this internally.

Workaround:

Consider modifying the source code to prevent this:

DisplayChart.java line 116:

// Check the file exists

File file = new File(System.getProperty("java.io.tmpdir"), filename);

if (!file.exists()) {

throw new ServletException("File '" + file.getAbsolutePath()

  • "' does not exist");

}

Credit:
This vulnerability was discovered by Patrick Webster.

Disclosure timeline:
15-Oct-2009 - Discovered during audit. Notified developer via bug tracker.
17-Jun-2011 - Disclosure.

About OSI Security:

OSI Security is an independent network and computer security auditing
and consulting company based in Sydney, Australia. We provide internal
and external penetration testing, vulnerability auditing and wireless
site audits, vendor product assessments, secure network design,
forensics and risk mitigation services.

We can be found at http://www.osisecurity.com.au/

JSON