Bugtraq mailing list archives

Re: Jboss vulnerability (AUSCERT#2007d2feb)

From: AusCERT <auscert () auscert org au>
Date: Wed, 21 Feb 2007 09:48:53 +1000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Ben, Bugtraq,

For the record, AusCERT is more than happy to assist researchers with
coordinated responsible vulnerability disclosure, in fact, you may remember
us from coordinated vuln disclosures such as:

http://www.auscert.org.au/render.html?it=4091

We are happy to work with researchers and vendors and to keep your details
anonymous if you so wish.

This of course typically relies on you contacting us prior to public
disclosure.

You mention in the below email that:

        "auscert (sic) have no vulnerability reporting option" 

granted, we have no webform that you can fill out and submit regarding
vulnerabilities (and we have never had a request from a researcher to
implement such a thing).

All the AusCERT contact details are available from:

        http://www.auscert.org.au/1922

These options include: 
        
        phone, fax, postal mail, email 

This page includes a link to our pgp key should you wish to communicate
securely via email.

We will certainly investigate this issue further, and will begin notifying
potentially vulnerable parties exposed to this issue.

Best regards, 

MacLeonard

- --
MacLeonard Starkey,  Security Analyst   | Hotline: +61 7 3365 4417
AusCERT                                 | Fax:     +61 7 3365 7031
Australia's National CERT               | WWW:     www.auscert.org.au
Brisbane QLD Australia                  | Email:   auscert () auscert org au

Just fired this off to USCERT, not pretty.

---------------------------- Original Message ----------------------------
Subject: jboss vulnerability
From:    dexie () tsn cc
Date:    Tue, February 20, 2007 10:54 pm
To:      "cert () cert org" <cert () cert org>
Cc:      "soc () us-cert gov" <soc () us-cert gov>
--------------------------------------------------------------------------

Hi guys.

I am an IT Security analyst in Canberra, Australia.

I recently encountered an issue with jboss, which led me to do some Google
enumeration...

http://www.google.com.au/search?q=inurl:inspectMBean

The search will pull up around 41500 results. Click on any of the links
and you will gain access to the backend app (ie start/stop services,
modify data,etc). I do not know if this will work in all cases, however I
would recommend a good deal of caution if you do follow any of the links.

Please let me know if you need any further info - I have nfi who to
actually contact as auscert has no vulnerability reporting option and this
is a first for me...

Regards,
Ben Dexter.
+61 2 6207 0368

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBRduI5Sh9+71yA2DNAQKiNwP/e/EkSLeP4R59Gdvo0j9k0dNCbqPCXpUA
9Jlc4JNAyRM44Y8AWv8Az5L2C1PpPYi8TB/4H//5MKBpG6IQ0IOx7OLqAp61V0i5
ByD7lWHI3GSzuU4X8CJUCwY16N4bMCu/PjgH9dL+mt43bQZ0y5Fr8Ni9DhcdjUbR
1RDccFQXjuY=
=3Rf4
-----END PGP SIGNATURE-----

Current thread:

Jboss vulnerability dexie (Feb 20)
- Re: Jboss vulnerability James Davis (Feb 20)
- Re: Jboss vulnerability Harry Hoffman (Feb 20)
- Re: Jboss vulnerability Javier Antunez (Feb 20)
- Re: Jboss vulnerability (AUSCERT#2007d2feb) AusCERT (Feb 21)
- <Possible follow-ups>
- Re: Jboss vulnerability ben . dexter (Feb 20)