lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <005401cc73e8$75d7ddf0$9b7a6fd5@ml>
Date: Thu, 15 Sep 2011 23:43:26 +0300
From: "MustLive" <mustlive@...security.com.ua>
To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk>
Subject: Vulnerabilities in JBoss Application Server

Hello list!

I want to warn you about Information Leakage and Brute Force vulnerabilities
in JBoss Application Server.

-------------------------
Affected products:
-------------------------

Vulnerable are all versions of JBoss Application Server, including JBoss
3.2.7, JBoss 4.0.5.GA, JBoss 5.0 and previous versions.

----------
Details:
----------

Information Leakage (WASC-13):

http://site/status
http://site/status?full=true

Status page is publicly accessible. Which leads to leakage of logs of last
connections and (in second case) leakage of all services (with their paths)
on the server.

Brute Force (WASC-11):

There is not protection against Brute Force attacks at these resources:

http://site/jmx-console/
http://site/web-console/
http://site/admin-console/ (starting from version 5.1.0)
http://site/jbossws/ (the servers occur, where password isn't set on this
resource)

And other private resources with BF vulnerability (which are hidden behind
Basic Authentication, as above-mentioned resources, except Admin Console).
The list of all resources of concrete server can be found at page
status?full=true.

------------
Timeline:
------------

2010.03.06 - found multiple holes at another vulnerable Ukrtelecom's web
site, few of them were holes in JBoss.
2010.08.23 - gave them time to fix other multiple holes at their sites,
Internet services and telecommunication services, which I've informed them
during 2007-2010, but with no results.
2010.08.24 - announced at my site about multiple holes at Ukrtelecom's web
site, few of them were holes in JBoss.
2010.08.25 - informed Ukrtelecom (and they by themselves could inform
developers of JBoss).
2011.06.03 - gave them time to fix these holes (and all other holes,
including holes in Iskra ADSL routers, which they supply to their clients),
but with no results (except fixing above-mentioned Information Leakage in
JBoss at their site).
2011.06.04 - announced at my site about holes in JBoss.
2011.06.05 - informed developers of JBoss.
2011.09.09 - disclosed at my site.

I mentioned about these vulnerabilities in JBoss at my site:
http://websecurity.com.ua/5196/

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ