Bugtraq mailing list archives
Re: Jboss vulnerability
From: "Javier Antunez" <javier.antunez () gmail com>
Date: Tue, 20 Feb 2007 20:06:51 -0300
Interesting issue... Trying various URLs for fun in one of our lab's jboss, i found the following: http://yoursitehere:port/web-console/ (opens the web console of Jboss) http://yoursitehere:port/jmx-console/ (opens the jmx console of jboss) Most common values for port are 80 and 8080 Browsing you can view some interesting information: - Hostname, host Address, processor, OS name and version (view org.jboss.system.server.ServerInfo) - Work directories physical paths (view org.jboss.system.server.ServerConfigImpl) - And maybe more usefull information for an attacker Reading about this in the jboss wiki, i find that this is the default configuration, that is not secured by default. Regards Javier Antunez On 20 Feb 2007 13:06:24 -0000, dexie () tsn cc <dexie () tsn cc> wrote:
Just fired this off to USCERT, not pretty. ---------------------------- Original Message ---------------------------- Subject: jboss vulnerability From: dexie () tsn cc Date: Tue, February 20, 2007 10:54 pm To: "cert () cert org" <cert () cert org> Cc: "soc () us-cert gov" <soc () us-cert gov> -------------------------------------------------------------------------- Hi guys. I am an IT Security analyst in Canberra, Australia. I recently encountered an issue with jboss, which led me to do some Google enumeration... http://www.google.com.au/search?q=inurl:inspectMBean The search will pull up around 41500 results. Click on any of the links and you will gain access to the backend app (ie start/stop services, modify data,etc). I do not know if this will work in all cases, however I would recommend a good deal of caution if you do follow any of the links. Please let me know if you need any further info - I have nfi who to actually contact as auscert has no vulnerability reporting option and this is a first for me... Regards, Ben Dexter. +61 2 6207 0368
Current thread:
- Jboss vulnerability dexie (Feb 20)
- Re: Jboss vulnerability James Davis (Feb 20)
- Re: Jboss vulnerability Harry Hoffman (Feb 20)
- Re: Jboss vulnerability Javier Antunez (Feb 20)
- Re: Jboss vulnerability (AUSCERT#2007d2feb) AusCERT (Feb 21)
- <Possible follow-ups>
- Re: Jboss vulnerability ben . dexter (Feb 20)