Metasploit mailing list archives
exploiting jboss verb bypass (CVE-2010-0783)
From: Konrads Smelkovs <konrads.smelkovs () gmail com>
Date: Thu, 2 Dec 2010 23:04:49 +0200
Hi, I have encountered a JBoss 3.2.6 that metasploit thinks is vulnerable to verb bypass [1]. When I use scanner/http/jboss_vulnscan to check for vulnerability it replies it is successful, but examining through http proxy shows that on HEAD request, isntead of returning full page, I get HTTP 200 OK, headers with no body. Is the server still vulnerable? If so, how can I make a better test rather than java payload, as there might be firewall in place that prevents from connecting back. [1] - http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-0738 -- Konrads Smelkovs Applied IT sorcery.
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- exploiting jboss verb bypass (CVE-2010-0783) Konrads Smelkovs (Dec 02)