TIBCO JasperReports Server等都是美国TIBCO软件公司的产品。TIBCO JasperReports Server是一个报表生成编辑工具的服务器版，TIBCO JasperReports Server Community Edition是它的社区版。Spring web flows是其中的一个流程控制组件。
多款TIBCO产品中的Spring web flows组件存在信息泄露漏洞。攻击者可利用该漏洞访问Web应用程序的内容（包括：重要的配置文件）。以下产品和版本受到影响：TIBCO JasperReports Server 6.2.4及之前版本，6.3.0版本，6.3.2版本，6.3.3版本，6.4.0版本，6.4.2版本；TIBCO JasperReports Server Community Edition 6.4.2及之前版本；TIBCO JasperReports Server for ActiveMatrix BPM 6.4.2及之前版本；TIBCO Jaspersoft for AWS with Multi-Tenancy 6.4.2及之前版本；TIBCO Jaspersoft Reporting and Analytics for AWS 6.4.2及之前版本。
TIBCO’s JasperReports (<=6.2.4, 6.3.0, 6.3.2-3, 6.4.0, 6.4.2, CE/ActiveMatrix BPM and Jaspersoft AWS with Multi-Tenancy/Reporting and Analytics for AWS <=6.4.2) is vulnerable to an authenticated file read and inclusion vulnerability by means of directory traversal. It is possible for an attacker, regardless of user permissions, to access or include files from within the filesystem hosting the application.
CVSS v3 Base Score: 7.7 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)
- - -
## Bypassing JasperReports Access Controls
The following example allowed us to include an administrator JSP from a low privileged user (joeuser):
Which took us from:
getAttribute() @ HttpServletRequestParameterMap.java:57
> string = wrapper.getParameterValues("page")
getResource() @ DirResourceSet.java:101
> file = new File(/home/rhino/jasperreports...mcat/webapps/jasperserver,"/WEB-INF/jsp/modules/administer/adminImport.jsp")
Due to a lack of input validation we found ourselves with the capability to traverse paths to a destination of our choice. Below you will find more Proof of Concepts (PoCs) of the the attack in question:
## Accessing Administrator Export Functions
## Accessing AWS Configuration Functions
The above issue allowed us to load privileged portions of the application geared towards the Administrator, thus bypassing access controls.
## Local File Read
The following command allowed us to read configuration files on the server, taking advantage of an unsanitized ‘page’ perimeter and reading configuration files. An attacker would use these credentials to further pivot across application and services. Although the above screenshot provides a randomly generated password for the occasion, we decided to blur it out of habit.
## Local File Inclusion (JSP)
And in the event of a post-intrusion scenario, an attacker would need to upload an arbitrary JSP file, masqueraded as a regular file (sans .jsp) to the victims filesystem and execute something like the following via a local file inclusion:
NOTE: Since the application appends ‘.jsp’ to the ‘page’ paramater value, normally you would end up with ../../../jsp/modules/administer/file.jsp. However, if we want to read configuration files we need to trick Java to read our desired file, and ignore the ‘.jsp’ addition. NULL bytes (%00) do not work, however we were able to bypass the problem by adding a semicolon to our desired file.