Pentaho 1.7.0.1062 Multiple Vulnerabilities

A lot of months ago I was researching bugs in the excellent Pentaho Business Intelligence platform (with bundled jboss). I’ve found the following:

A) Reflected XSS
B) Password field with autocomplete enabled
C) Disclosure of Session Tokens in URL

More infos here: [http://jira.pentaho.com/browse/BISERVER-2698?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel]

After 6 months (SIX! it remembers me David Litchfield and Oracle :) ) Pentaho developers partially fixed everything.

I’ve not disclosed this before because I’m trying to follow Responsible Disclosure more as I can…

Is that the best? Well, sometimes…

That’s responsible disclosure

Tags:

This entry was posted on Saturday, June 20th, 2009 at 4:25 pm and is filed under Advisories . You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply