Not sure if it has been reported or not. I am conducting a penetration test against a client's server which has JFreeChart embedded in another product.
By requesting an invalid file name (e.g. http://localhost/charts?filename=blah\), the absolute path is disclosed. In my client's instance, the temp folder is within documents & settings, further revealing the user account which is operating the backend and will aid in username/password attacks.
Furthermore, by brute forcing filenames, a valid file (but invalid chart image) will return " Chart image not found", validating the filename, where as an incorrect guess will simply reveal the path.
It is not a huge issue, but I thought for security's sake, these issues should be addressed - at very least, the path disclosure issue.
Log in to post a comment.