[jfreechart-dev] [ jfreechart-Bugs-2879650 ] Security - Path / File Dislosure

[SourceForge.net <no...@so...>]

Bugs item #2879650, was opened at 2009-10-14 22:51
Message generated for change (Comment added) made by mungady
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=115494&aid=2879650&group_id=15494

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
>Category: General
>Group: 1.0.x
>Status: Closed
>Resolution: Fixed
Priority: 5
Private: No
Submitted By: Patrick Webster (patrickwebster)
>Assigned to: David Gilbert (mungady)
Summary: Security - Path / File Dislosure

Initial Comment:
Hello,

Not sure if it has been reported or not. I am conducting a penetration test against a client's server which has JFreeChart embedded in another product.

By requesting an invalid file name (e.g. http://localhost/charts?filename=blah), the absolute path is disclosed. In my client's instance, the temp folder is within documents & settings, further revealing the user account which is operating the backend and will aid in username/password attacks.

Furthermore, by brute forcing filenames, a valid file (but invalid chart image) will return " Chart image not found", validating the filename, where as an incorrect guess will simply reveal the path.

It is not a huge issue, but I thought for security's sake, these issues should be addressed - at very least, the path disclosure issue.

Thank you!
-Patrick

----------------------------------------------------------------------

>Comment By: David Gilbert (mungady)
Date: 2011-12-03 06:20

Message:
Thanks for the report.  It's slightly embarrassing that it has taken me
this long, but it is fixed now in SVN for the upcoming 1.0.15 release.

Best regards,
David

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=115494&aid=2879650&group_id=15494