Breakout to Jasper reports
search cancel

Breakout to Jasper reports

book

Article ID: 269102

calendar_today

Updated On:

Products

CA Identity Suite CA Identity Manager

Issue/Introduction

Carrying out penetration tests on the Symantec IGA platform without Jaspersoft credentials is possible. It was discovered that, it was possible to "break out" and get access to the Jasper Reports service without needing any credentials.

Environment

Release : 14.4 CP1 CHF 2

Cause

Identity Manager is integrated with Jasper Reports. Normally, only admin users have access to these reports. However, any user can log in to Identity Manager, but they won’t see any reports.

It’s not clear how the integration between Identity Manager and Jasper Reports is set up, but it seems like the Jasper Reports web interface is framed into the Identity Manager page via an iframe, while authenticating as a “service account” called <username> - Embedding using HTTP API - (seems this is user that was created for IM Jasper integration)

It turns out that, as any authenticated user in Identity Manager, one can directly browse the page that is used to frame in the reports - 

https://<hostname>/iam/im/identityEnv/busobjservlet/flow.html 

You need to interact with the application first, for example by clicking the “View My Submitted Tasks” button and access to the Jasper Reports interface as the <username> is granted.

This is possible because when the application is framed into Identity Manager, a new cookie called !Proxy!busobjservletJSESSIONID is set on the path /iam/im/identityEnv/busobjservlet, which seems to be the cookie validating the already established <username> session.

From here on, the attacker can use a lot of features in Jasper Reports, including creating domains and topics, uploading files, deleting files, creating new data sources, interacting with existing data sources and execute SQL queries directly against the backend database.

Resolution

The issue with IM page https://<IM address>/iam/im/identityEnv/busobjservlet/flow.html redirecting to logged Jasper Reporting session is resolved in 14.4 CP2 version