| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: 20 Feb 2007 13:06:24 -0000 From: dexie@....cc To: bugtraq@...urityfocus.com Subject: Jboss vulnerability Just fired this off to USCERT, not pretty. ---------------------------- Original Message ---------------------------- Subject: jboss vulnerability From: dexie@....cc Date: Tue, February 20, 2007 10:54 pm To: "cert@...t.org" <cert@...t.org> Cc: "soc@...cert.gov" <soc@...cert.gov> -------------------------------------------------------------------------- Hi guys. I am an IT Security analyst in Canberra, Australia. I recently encountered an issue with jboss, which led me to do some Google enumeration... http://www.google.com.au/search?q=inurl:inspectMBean The search will pull up around 41500 results. Click on any of the links and you will gain access to the backend app (ie start/stop services, modify data,etc). I do not know if this will work in all cases, however I would recommend a good deal of caution if you do follow any of the links. Please let me know if you need any further info - I have nfi who to actually contact as auscert has no vulnerability reporting option and this is a first for me... Regards, Ben Dexter. +61 2 6207 0368
Powered by blists - more mailing lists