Jaspersoft 5.5 Security Changes and Configuration

[david.aili]

Hello,

We recently discovered a security vulnerabily, XSS cross site scripting in our Jaspersofr Report server 5.5 installation.

If you append this pattern to a valid URL you will have a script executed (in that case a popup window showing the content of the cookie) 

&%3C%2fscript%3E%3Cscript%3Ealert%28document.cookie%29%3C%2fscript%3E=1

I refered to that wiki pages 

http://community.jaspersoft.com/wiki/jaspersoft-security-changes-and-configuration

http://community.jaspersoft.com/wiki/jaspersoft-security-security-configuration-files

What i found i that JasperReport already includes a security framework to prenvent this kind of issues.

The JasperReports Server as of v4.5 onwards has enterprise-grade security through the integration of a comprehensive security framework. This new security framework protects the server against the common enterprise software security threats, such as:

·         Cross-site scripting

·         Cross-site request forgery

·         SQL injection

The security framework restricts user input and values passed to reports to block any potential security threats. Administrators can monitor the server logs to search for evidence of attempted security breaches. For more information about logs, see the Administrator Guide. However, input that was allowed in previous version of the server may be blocked, and users may see errors when entering values. In particular:

·         Parameter names and values cannot have tags (< and >). These characters are not allowed because they can be used in an attempt to use script tags where such tags are not necessary. If your business data contains tags, you need to update the security configuration as described in this article to allow them.

·         SQL queries should start with SELECT and cannot have comments. If your reports or Domains have queries with comments, you need to either remove the comments or update the security configuration to allow them.

If users see recurring errors, administrators can examine logs to determine what input is not allowed. Preferably, users should modify their input to remove special characters that are security risks. If that is not feasible, this page explains how to configure the security framework to modify security rules or turn off the security restrictions.

Note: These restrictions were added to comply with security guidelines for web applications. Removing the restrictions may make the the server more vulnerable to web attacks

 

Checking my configuration, I can see that the security framework is enabled but dont prenvent <script> tags in the URL

#########################################################

# Jaspersoft Security Configuration

#########################################################

 

# Turns request parameter validation on or off.

security.validation.input.on=true

# Turns CSRF attack guard on or off.

security.validation.csrf.on=true

# Turns sql validation on or off.

security.validation.sql.on=true

I also tried to add this setting in the <js-webapp>/WEB-INF/classes/esapi/security-config.properties file but didnot bring any change.

• canonicalize.before.validation - This is a very important setting to ensure that when validating a character, no other encoding form of that character will pass through undetected. For example, an attack might look like this %3C%73%63%72%69%70%74%3E which to a browser reads the same as <script> . Canonicalization ensures that any encoding translates back to the standard characters which we can then use to validate against.

  canonicalize.before.validation=true[/code]

 

I must miss something in the fine tuning but can't find what so far.

Any help on that would be really appreciated

Thanks and regards,

David