JasperSoft JasperReports 4.7 Password Disclosure Vulnerability

[+] Credits: Joshua Platz aka Binary1985
[+] CVE ID: CVE-2017-14941
[+] Website: https://github.com/binary1985

[+] Source:
https://raw.githubusercontent.com/binary1985/VulnerabilityDisclosure/master/JasperSoft%20JasperReports%20-%204.7%20-%20CVE-2017-14941

Vendor:
==========================
https://www.jaspersoft.com/


Product:
===========
JasperSoft JasperReports
Version 4.7

JasperReports is an open source Java reporting tool that can write to a variety of targets, such as: screen, a printer, into PDF, HTML, Microsoft Excel, RTF, ODT, Comma-separated values or XML files.


Vulnerability Type:
==========================
Cleartext Password Storage


Vulnerability Details:
=====================

JasperReports stores Passwords unencrypted for maintaining the test
connectivity function of its Data Source Connectors. These credentials
are retrieved by the system when the editing a Data Source on /jasperserver-pro/flow.html,
and rendered directly into the HTLM in cleartext.


1) Log into JasperReports application. Default superuser/superuser

2) Navigate an existing Data Source connector under View -> Repository

3) Select entry and click Edit

4) View the HTLM source code, extracting the database connection string, username, and password from the HTLM form.

Key value name(html form ID's):
database connection string, username, password(cleartext)


Remediation Details:
=====================
Apply security update issued in patch 4.1.2: ftp://ftp.multitech.com/faxfinder/ffx40/FFx40_version_update.txt

2017-09-14 - Issue Reported to Vendor
2016-09-14 - Vendor Awknowledged Report, Requested testing of latest version
2016-09-15 - Validate issue is remdiated in 6.4.0
    Testing Comments: Vender properly loads a -substitute value- into password HTML form. It is unknown at which version this was corrected.
2016-09-29 - Public Disclsoure
2017-09-29 - CVE-2017-14941 Issued

#  0day.today [2018-01-04]  #