Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Vulnerabilities in JBoss Application Server

From: "MustLive" <mustlive () websecurity com ua>
Date: Thu, 15 Sep 2011 23:43:26 +0300
Hello list!

I want to warn you about Information Leakage and Brute Force vulnerabilities
in JBoss Application Server.

-------------------------
Affected products:
-------------------------

Vulnerable are all versions of JBoss Application Server, including JBoss
3.2.7, JBoss 4.0.5.GA, JBoss 5.0 and previous versions.

----------
Details:
----------

Information Leakage (WASC-13):

http://site/status
http://site/status?full=true

Status page is publicly accessible. Which leads to leakage of logs of last
connections and (in second case) leakage of all services (with their paths)
on the server.

Brute Force (WASC-11):

There is not protection against Brute Force attacks at these resources:

http://site/jmx-console/
http://site/web-console/
http://site/admin-console/ (starting from version 5.1.0)
http://site/jbossws/ (the servers occur, where password isn't set on this
resource)

And other private resources with BF vulnerability (which are hidden behind
Basic Authentication, as above-mentioned resources, except Admin Console).
The list of all resources of concrete server can be found at page
status?full=true.

------------
Timeline:
------------

2010.03.06 - found multiple holes at another vulnerable Ukrtelecom's web
site, few of them were holes in JBoss.
2010.08.23 - gave them time to fix other multiple holes at their sites,
Internet services and telecommunication services, which I've informed them
during 2007-2010, but with no results.
2010.08.24 - announced at my site about multiple holes at Ukrtelecom's web
site, few of them were holes in JBoss.
2010.08.25 - informed Ukrtelecom (and they by themselves could inform
developers of JBoss).
2011.06.03 - gave them time to fix these holes (and all other holes,
including holes in Iskra ADSL routers, which they supply to their clients),
but with no results (except fixing above-mentioned Information Leakage in
JBoss at their site).
2011.06.04 - announced at my site about holes in JBoss.
2011.06.05 - informed developers of JBoss.
2011.09.09 - disclosed at my site.

I mentioned about these vulnerabilities in JBoss at my site:
http://websecurity.com.ua/5196/

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: