[VulnWatch] R7-0031: JFreeChart Image Map Cross-Site Scripting Vulnerabilities

From: advisory@private
Date: Thu Dec 06 2007 - 14:58:11 PST

                        Rapid7 Security Advisory
            Visit http://www.rapid7.com/ to download NeXpose,
        SC Magazine Winner of Best Vulnerability Management product.

Rapid7 Advisory R7-0031
JFreeChart Image Map Cross-Site Scripting Vulnerabilities

   Published:  Dec 06, 2007
   Revision:   1.0

1. Affected system(s):

    o JFreeChart 1.0.8

    o JFreeChart 1.0.8 branch "jfreechart-1.0.8-security"

2. Summary

   JFreeChart is a popular Java-based chart library used to generate
   charts and graphs of data.  The library includes support for
   generating HTML image maps, which allow for enhanced interaction of
   the chart via hyperlinks bound to shapes specified by coordinates.

   Multiple cross-site scripting vulnerabilities exist within the
   image map support functionality of JFreeChart which may allow an
   attacker to inject arbitrary HTML or JavaScript into any product
   or website which uses the library.

3. Vendor status and information

   JFreeChart Project

   The JFreeChart project was notified of this vulnerability on
   November 28th, 2007 via their online bug tracking system.  The
   vulnerability was fixed on December 6th 2007 with a commit
   to their SVN repository.

4. Solution

   Upgrade to JFreeChart SVN repository revision 682
   using branch "jfreechart-1.0.8-security".
   See http://jfreechart.svn.sourceforge.net/viewvc/jfreechart/
   for details.

5. Detailed analysis

   JFreeChart fails to properly escape the following properties of the
   generated image map:

      o The chart name.
      o The chart tool tip text.
      o The href attribute for a chart area.
      o The shape attribute for a chart area.
      o The coords attribute for a chart area.

   It is possible to inject custom HTML code into the code generated by
   the JFreeChart library.  If a web server uses this library to generate
   charts from user-supplied data, an attacker could cause other users of
   the same website or application to execute arbitrary JavaScript code
   when viewing a page containing a chart.

6. Credit

   Discovered by Chad Loder of Rapid7.

7. Contact Information

   Rapid7, LLC
   Email: advisory@private
   Web: http://www.rapid7.com
   Phone: +1 (617) 247-1717

8. Disclaimer and Copyright

   Rapid7, LLC is not responsible for the misuse of the information
   provided in our security advisories. These advisories are a service
   to the professional security community. There are NO WARRANTIES with
   regard to this information. Any application or distribution of this
   information constitutes acceptance AS IS, at the user's own risk.
   This information is subject to change without notice.

   This advisory Copyright (C) 2007 Rapid7, LLC. Permission is hereby
   granted to redistribute this advisory, providing that no changes are
   made and that the copyright notices and disclaimers remain intact.

This archive was generated by hypermail 2.1.3 : Thu Dec 06 2007 - 16:12:15 PST