Exploit for php platform in category web applications
[+] Credits: Joshua Platz aka Binary1985
[+] CVE ID: CVE-2017-14941
[+] Website: https://github.com/binary1985
[+] Source:
https://raw.githubusercontent.com/binary1985/VulnerabilityDisclosure/master/JasperSoft%20JasperReports%20-%204.7%20-%20CVE-2017-14941
Vendor:
==========================
https://www.jaspersoft.com/
Product:
===========
JasperSoft JasperReports
Version 4.7
JasperReports is an open source Java reporting tool that can write to a variety of targets, such as: screen, a printer, into PDF, HTML, Microsoft Excel, RTF, ODT, Comma-separated values or XML files.
Vulnerability Type:
==========================
Cleartext Password Storage
Vulnerability Details:
=====================
JasperReports stores Passwords unencrypted for maintaining the test
connectivity function of its Data Source Connectors. These credentials
are retrieved by the system when the editing a Data Source on /jasperserver-pro/flow.html,
and rendered directly into the HTLM in cleartext.
1) Log into JasperReports application. Default superuser/superuser
2) Navigate an existing Data Source connector under View -> Repository
3) Select entry and click Edit
4) View the HTLM source code, extracting the database connection string, username, and password from the HTLM form.
Key value name(html form ID's):
database connection string, username, password(cleartext)
Remediation Details:
=====================
Apply security update issued in patch 4.1.2: ftp://ftp.multitech.com/faxfinder/ffx40/FFx40_version_update.txt
2017-09-14 - Issue Reported to Vendor
2016-09-14 - Vendor Awknowledged Report, Requested testing of latest version
2016-09-15 - Validate issue is remdiated in 6.4.0
Testing Comments: Vender properly loads a -substitute value- into password HTML form. It is unknown at which version this was corrected.
2016-09-29 - Public Disclsoure
2017-09-29 - CVE-2017-14941 Issued
# 0day.today [2018-01-04] #