exploiting jboss verb bypass (CVE-2010-0783)

[Konrads Smelkovs <konrads.smelkovs () gmail com>]

Hi,

I have encountered a JBoss 3.2.6 that metasploit thinks is vulnerable to
verb bypass [1]. When I use scanner/http/jboss_vulnscan to check for
vulnerability it replies it is successful, but examining through http proxy
shows that on HEAD request, isntead of returning full page, I get HTTP 200
OK, headers with no body. Is the server still vulnerable? If so, how can I
make a better test rather than java payload, as there might be firewall in
place that prevents from connecting back.


[1] - http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-0738

--
Konrads Smelkovs
Applied IT sorcery.

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework