what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Pentaho 5.2.x BA Suite / PDI Information Disclosure

Pentaho 5.2.x BA Suite / PDI Information Disclosure
Posted Sep 18, 2015
Authored by Gregory Draperi

Pentaho version 5.2.x GA BA Suite and PDI allow unauthenticated access to configuration files. The GetResource servlet, a vestige of the old platform UI, allows unauthenticated access to resources in the pentaho-solutions/system folder. Specifically vulnerable are properties files that may reveal passwords.

tags | exploit, info disclosure
advisories | CVE-2015-6940
SHA-256 | 0888853ff4779b5907a0ff21cd8ea09daabbccf2686a3c59adcb64e634280c5e

Pentaho 5.2.x BA Suite / PDI Information Disclosure

Change Mirror Download
Exploit Title: Improper authentication allows unauthenticated access
to configuration files
Product: Pentaho GA PDI & Pentaho GA BA
Vulnerable Versions: 5.2.x GA BA Suite and PDI - Suite and previous versions
Tested Version: 5.2.x GA BA Suite and PDI - Suite
Advisory Publication: 15/02/2015
Latest Update: 15/02/2015
Vulnerability Type: Improper Authentication [CWE-287]
CVE Reference: CVE-2015-6940
Credit: Gregory DRAPERI

Advisory Details:

(1) Vendor & Product Description
--------------------------------

Vendor: PENTAHO

Product & Version:
4.3.x GA PDI - Suite
4.4.x GA PDI - Suite
4.5.x GA BA Suite
4.8.x GA BA Suite
5.0.x GA BA Suite and PDI - Suite
5.1.x GA BA Suite and PDI - Suite
5.2.x GA BA Suite and PDI - Suite

Vendor URL & Download:
http://www.pentaho.com

Product Description:
"Pentaho Business Analytics, a suite of open source Business
Intelligence (BI) products which provide data integration, OLAP
services, reporting, dashboarding, data mining and ETL capabilities."


(2) Vulnerability Details:
--------------------------
The GetResource servlet, a vestige of the old platform UI, allows
unauthenticated access to resources in the pentaho-solutions/system
folder. Specifically vulnerable are properties files that may reveal
passwords.

The servlet allows access to files with the following extensions:

.xsl
.mondrian.xml
.jpg
.jpeg
.gif
.bmp
.properties
.jar
The vulnerability allows unauthenticated access to properties files in
the system solution which include properties files containing
passwords. The offending code was heavily used in our previous version
of our web UI but has since then been deprecated and is only being
used in an old deprecated plugin (JPivot).

For example, unauthenticated access to the
defaultUser.spring.properties is allowed with the following URL:
http://localhost:8080/pentaho/GetResource?resource=system/defaultUser.spring.properties


(3) Advisory Timeline:
----------------------
05/02/2015 - First Contact informing vendor of vulnerability
05/02/2015 - Response requesting details of vulnerability. Details sent
05/02/2015 - Vendor indicates issue is under investigation.
15/02/2015 - Vendor confirms patch ready and releases the patch
16/09/2015 - Public disclosure of vulnerability.


(4)Solution:
------------
Apply the patches listed below to your Server at the following location.

Download the appropriate .jar file for your version of the DI and BI Platform.
Copy the .jar file to the WEB-INF/lib folder of each of your DI and BI Servers.
Restart each of your servers
Please note:

SPA9-xxxx-4.5.0.11.jar works for both 4.3.x GA PDI - Suite and 4.5.x
GA BI - Suite

SPA9_xxxx-4.8.3.4-patch.jar works for both 4.4.x GA PDI - Suite and
4.8.x. GA BI - Suite

SPA9_xxxx-5.x-patch.jar works for all 5.x Versions

(5) Credits:
------------
Discovered by Gregory DRAPERI

(6) References:
------------
https://support.pentaho.com/entries/78884125-Security-Vulnerability-Announcement-Feb-2015
Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    0 Files
  • 9
    Sep 9th
    0 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    0 Files
  • 12
    Sep 12th
    0 Files
  • 13
    Sep 13th
    0 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close