Just fired this off to USCERT, not pretty. ---------------------------- Original Message ---------------------------- Subject: jboss vulnerability From: dexie@xxxxxx Date: Tue, February 20, 2007 10:54 pm To: "cert@xxxxxxxx" <cert@xxxxxxxx> Cc: "soc@xxxxxxxxxxx" <soc@xxxxxxxxxxx> -------------------------------------------------------------------------- Hi guys. I am an IT Security analyst in Canberra, Australia. I recently encountered an issue with jboss, which led me to do some Google enumeration... http://www.google.com.au/search?q=inurl:inspectMBean The search will pull up around 41500 results. Click on any of the links and you will gain access to the backend app (ie start/stop services, modify data,etc). I do not know if this will work in all cases, however I would recommend a good deal of caution if you do follow any of the links. Please let me know if you need any further info - I have nfi who to actually contact as auscert has no vulnerability reporting option and this is a first for me... Regards, Ben Dexter. +61 2 6207 0368
