exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Pentaho 5.2.x BA Suite / PDI Information Disclosure

Pentaho 5.2.x BA Suite / PDI Information Disclosure
Posted Sep 18, 2015
Authored by Gregory Draperi

Pentaho version 5.2.x GA BA Suite and PDI allow unauthenticated access to configuration files. The GetResource servlet, a vestige of the old platform UI, allows unauthenticated access to resources in the pentaho-solutions/system folder. Specifically vulnerable are properties files that may reveal passwords.

tags | exploit, info disclosure
advisories | CVE-2015-6940
SHA-256 | 0888853ff4779b5907a0ff21cd8ea09daabbccf2686a3c59adcb64e634280c5e

Pentaho 5.2.x BA Suite / PDI Information Disclosure

Change Mirror Download
Exploit Title: Improper authentication allows unauthenticated access
to configuration files
Product: Pentaho GA PDI & Pentaho GA BA
Vulnerable Versions: 5.2.x GA BA Suite and PDI - Suite and previous versions
Tested Version: 5.2.x GA BA Suite and PDI - Suite
Advisory Publication: 15/02/2015
Latest Update: 15/02/2015
Vulnerability Type: Improper Authentication [CWE-287]
CVE Reference: CVE-2015-6940
Credit: Gregory DRAPERI

Advisory Details:

(1) Vendor & Product Description
--------------------------------

Vendor: PENTAHO

Product & Version:
4.3.x GA PDI - Suite
4.4.x GA PDI - Suite
4.5.x GA BA Suite
4.8.x GA BA Suite
5.0.x GA BA Suite and PDI - Suite
5.1.x GA BA Suite and PDI - Suite
5.2.x GA BA Suite and PDI - Suite

Vendor URL & Download:
http://www.pentaho.com

Product Description:
"Pentaho Business Analytics, a suite of open source Business
Intelligence (BI) products which provide data integration, OLAP
services, reporting, dashboarding, data mining and ETL capabilities."


(2) Vulnerability Details:
--------------------------
The GetResource servlet, a vestige of the old platform UI, allows
unauthenticated access to resources in the pentaho-solutions/system
folder. Specifically vulnerable are properties files that may reveal
passwords.

The servlet allows access to files with the following extensions:

.xsl
.mondrian.xml
.jpg
.jpeg
.gif
.bmp
.properties
.jar
The vulnerability allows unauthenticated access to properties files in
the system solution which include properties files containing
passwords. The offending code was heavily used in our previous version
of our web UI but has since then been deprecated and is only being
used in an old deprecated plugin (JPivot).

For example, unauthenticated access to the
defaultUser.spring.properties is allowed with the following URL:
http://localhost:8080/pentaho/GetResource?resource=system/defaultUser.spring.properties


(3) Advisory Timeline:
----------------------
05/02/2015 - First Contact informing vendor of vulnerability
05/02/2015 - Response requesting details of vulnerability. Details sent
05/02/2015 - Vendor indicates issue is under investigation.
15/02/2015 - Vendor confirms patch ready and releases the patch
16/09/2015 - Public disclosure of vulnerability.


(4)Solution:
------------
Apply the patches listed below to your Server at the following location.

Download the appropriate .jar file for your version of the DI and BI Platform.
Copy the .jar file to the WEB-INF/lib folder of each of your DI and BI Servers.
Restart each of your servers
Please note:

SPA9-xxxx-4.5.0.11.jar works for both 4.3.x GA PDI - Suite and 4.5.x
GA BI - Suite

SPA9_xxxx-4.8.3.4-patch.jar works for both 4.4.x GA PDI - Suite and
4.8.x. GA BI - Suite

SPA9_xxxx-5.x-patch.jar works for all 5.x Versions

(5) Credits:
------------
Discovered by Gregory DRAPERI

(6) References:
------------
https://support.pentaho.com/entries/78884125-Security-Vulnerability-Announcement-Feb-2015
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close