Pentaho 5.2.x BA Suite / PDI Information Disclosure

`Exploit Title: Improper authentication allows unauthenticated access  
to configuration files  
Product: Pentaho GA PDI & Pentaho GA BA  
Vulnerable Versions: 5.2.x GA BA Suite and PDI - Suite and previous versions  
Tested Version: 5.2.x GA BA Suite and PDI - Suite  
Advisory Publication: 15/02/2015  
Latest Update: 15/02/2015  
Vulnerability Type: Improper Authentication [CWE-287]  
CVE Reference: CVE-2015-6940  
Credit: Gregory DRAPERI  
  
Advisory Details:  
  
(1) Vendor & Product Description  
--------------------------------  
  
Vendor: PENTAHO  
  
Product & Version:  
4.3.x GA PDI - Suite  
4.4.x GA PDI - Suite  
4.5.x GA BA Suite  
4.8.x GA BA Suite  
5.0.x GA BA Suite and PDI - Suite  
5.1.x GA BA Suite and PDI - Suite  
5.2.x GA BA Suite and PDI - Suite  
  
Vendor URL & Download:  
http://www.pentaho.com  
  
Product Description:  
"Pentaho Business Analytics, a suite of open source Business  
Intelligence (BI) products which provide data integration, OLAP  
services, reporting, dashboarding, data mining and ETL capabilities."  
  
  
(2) Vulnerability Details:  
--------------------------  
The GetResource servlet, a vestige of the old platform UI, allows  
unauthenticated access to resources in the pentaho-solutions/system  
folder. Specifically vulnerable are properties files that may reveal  
passwords.  
  
The servlet allows access to files with the following extensions:  
  
.xsl  
.mondrian.xml  
.jpg  
.jpeg  
.gif  
.bmp  
.properties  
.jar  
The vulnerability allows unauthenticated access to properties files in  
the system solution which include properties files containing  
passwords. The offending code was heavily used in our previous version  
of our web UI but has since then been deprecated and is only being  
used in an old deprecated plugin (JPivot).  
  
For example, unauthenticated access to the  
defaultUser.spring.properties is allowed with the following URL:  
http://localhost:8080/pentaho/GetResource?resource=system/defaultUser.spring.properties  
  
  
(3) Advisory Timeline:  
----------------------  
05/02/2015 - First Contact informing vendor of vulnerability  
05/02/2015 - Response requesting details of vulnerability. Details sent  
05/02/2015 - Vendor indicates issue is under investigation.  
15/02/2015 - Vendor confirms patch ready and releases the patch  
16/09/2015 - Public disclosure of vulnerability.  
  
  
(4)Solution:  
------------  
Apply the patches listed below to your Server at the following location.  
  
Download the appropriate .jar file for your version of the DI and BI Platform.  
Copy the .jar file to the WEB-INF/lib folder of each of your DI and BI Servers.  
Restart each of your servers  
Please note:  
  
SPA9-xxxx-4.5.0.11.jar works for both 4.3.x GA PDI - Suite and 4.5.x  
GA BI - Suite  
  
SPA9_xxxx-4.8.3.4-patch.jar works for both 4.4.x GA PDI - Suite and  
4.8.x. GA BI - Suite  
  
SPA9_xxxx-5.x-patch.jar works for all 5.x Versions  
  
(5) Credits:  
------------  
Discovered by Gregory DRAPERI  
  
(6) References:  
------------  
https://support.pentaho.com/entries/78884125-Security-Vulnerability-Announcement-Feb-2015  
`