lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 20 Feb 2007 11:30:35 -0500
From: Harry Hoffman <hhoffman@...solutions.net>
To: dexie@....cc
Cc: bugtraq@...urityfocus.com
Subject: Re: Jboss vulnerability

Hi,

Hopefully this will help some of those with mis-configured jboss
security. Although, IMHO, jboss should limit access out of the box :-(


This is due to improperly configured admin access to jboss.

The console and web mgmt are meant to be locked down but are not done so
by default.

The following directories should either be removed or have access
limitations:

$JBOSS_HOME/server/*/deploy/jmx-console.war
$JBOSS_HOME/server/*/deploy/management
$JBOSS_HOME/server/*/deploy/jbossweb-tomcat55.sar/ROOT.war


See, http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureTheJmxConsole, for
further information.

Cheers,
Harry


dexie@....cc wrote:
> Just fired this off to USCERT, not pretty.
> 
> ---------------------------- Original Message ----------------------------
> Subject: jboss vulnerability
> From:    dexie@....cc
> Date:    Tue, February 20, 2007 10:54 pm
> To:      "cert@...t.org" <cert@...t.org>
> Cc:      "soc@...cert.gov" <soc@...cert.gov>
> --------------------------------------------------------------------------
> 
> Hi guys.
> 
> I am an IT Security analyst in Canberra, Australia.
> 
> I recently encountered an issue with jboss, which led me to do some Google
> enumeration...
> 
> http://www.google.com.au/search?q=inurl:inspectMBean
> 
> The search will pull up around 41500 results. Click on any of the links
> and you will gain access to the backend app (ie start/stop services,
> modify data,etc). I do not know if this will work in all cases, however I
> would recommend a good deal of caution if you do follow any of the links.
> 
> Please let me know if you need any further info - I have nfi who to
> actually contact as auscert has no vulnerability reporting option and this
> is a first for me...
> 
> 
> Regards,
> Ben Dexter.
> +61 2 6207 0368
> 
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ