JFreeChart - Path Disclosure

Release Date:
17-Jun-2011

Software:
JFree.org - JFreeChart
http://www.jfree.org/

"A free Java chart library. JFreeChart supports pie charts (2D and 3D), bar charts (horizontal and vertical, regular and stacked), line charts, scatter plots, time series charts, high-low-open-close charts, candlestick plots, Gantt charts, combined plots, thermometers, dials and more. JFreeChart can be used in applications, applets, servlets and JSP."

Versions tested / affected:
JFreeChart 1.0.13 and below.

Vulnerability discovered:

Path disclosure and file existence verification.

Vulnerability impact:

Low - A malicious attacker may abuse the flaw to disclose the path to JFreeChart. When installed within a user directory it will also disclose the username. Can be used to bruteforce filenames to determine existence.

Vulnerability information:

By requesting an invalid file name, the absolute path is disclosed.

Example:

http://[target]/charts?filename=blah

Recommendation:

This is an old bug which was reported (http://sourceforge.net/tracker/index.php?func=detail&aid=2879650&group_i...), however the package appears to no longer be maintained.

The reason for this advisory is due to enterprise software solutions (such as Atlassian) who embed JFreeChart within their solutions and may wish to address this internally.

Workaround:

Consider modifying the source code to prevent this:

DisplayChart.java line 116:

// Check the file exists

File file = new File(System.getProperty("java.io.tmpdir"), filename);

if (!file.exists()) {

throw new ServletException("File '" + file.getAbsolutePath()

+ "' does not exist");

}

Credit:
This vulnerability was discovered by Patrick Webster.

Disclosure timeline:
15-Oct-2009 - Discovered during audit. Notified developer via bug tracker.
17-Jun-2011 - Disclosure.
04-Dec-2011 - Developer fixed in SVN and upcoming 1.0.15 release.

About OSI Security:

OSI Security is an independent network and computer security auditing
and consulting company based in Sydney, Australia. We provide internal
and external penetration testing, vulnerability auditing and wireless
site audits, vendor product assessments, secure network design,
forensics and risk mitigation services.

We can be found at http://www.osisecurity.com.au/