Re: Jboss vulnerability (AUSCERT#2007d2feb)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Ben, Bugtraq,
For the record, AusCERT is more than happy to assist researchers with
coordinated responsible vulnerability disclosure, in fact, you may remember
us from coordinated vuln disclosures such as:
http://www.auscert.org.au/render.html?it=4091
We are happy to work with researchers and vendors and to keep your details
anonymous if you so wish.
This of course typically relies on you contacting us prior to public
disclosure.
You mention in the below email that:
"auscert (sic) have no vulnerability reporting option"
granted, we have no webform that you can fill out and submit regarding
vulnerabilities (and we have never had a request from a researcher to
implement such a thing).
All the AusCERT contact details are available from:
http://www.auscert.org.au/1922
These options include:
phone, fax, postal mail, email
This page includes a link to our pgp key should you wish to communicate
securely via email.
We will certainly investigate this issue further, and will begin notifying
potentially vulnerable parties exposed to this issue.
Best regards,
MacLeonard
- --
MacLeonard Starkey, Security Analyst | Hotline: +61 7 3365 4417
AusCERT | Fax: +61 7 3365 7031
Australia's National CERT | WWW: www.auscert.org.au
Brisbane QLD Australia | Email: auscert@xxxxxxxxxxxxxx
> Just fired this off to USCERT, not pretty.
>
> ---------------------------- Original Message ----------------------------
> Subject: jboss vulnerability
> From: dexie@xxxxxx
> Date: Tue, February 20, 2007 10:54 pm
> To: "cert@xxxxxxxx" <cert@xxxxxxxx>
> Cc: "soc@xxxxxxxxxxx" <soc@xxxxxxxxxxx>
> --------------------------------------------------------------------------
>
> Hi guys.
>
> I am an IT Security analyst in Canberra, Australia.
>
> I recently encountered an issue with jboss, which led me to do some Google
> enumeration...
>
> http://www.google.com.au/search?q=inurl:inspectMBean
>
> The search will pull up around 41500 results. Click on any of the links
> and you will gain access to the backend app (ie start/stop services,
> modify data,etc). I do not know if this will work in all cases, however I
> would recommend a good deal of caution if you do follow any of the links.
>
> Please let me know if you need any further info - I have nfi who to
> actually contact as auscert has no vulnerability reporting option and this
> is a first for me...
>
>
> Regards,
> Ben Dexter.
> +61 2 6207 0368
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBRduI5Sh9+71yA2DNAQKiNwP/e/EkSLeP4R59Gdvo0j9k0dNCbqPCXpUA
9Jlc4JNAyRM44Y8AWv8Az5L2C1PpPYi8TB/4H//5MKBpG6IQ0IOx7OLqAp61V0i5
ByD7lWHI3GSzuU4X8CJUCwY16N4bMCu/PjgH9dL+mt43bQZ0y5Fr8Ni9DhcdjUbR
1RDccFQXjuY=
=3Rf4
-----END PGP SIGNATURE-----