SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Web Server/CGI)  >   JBoss Vendors:   JBoss Group
JBoss Default Configuration Lets Remote Users Gain Administrative Access
SecurityTracker Alert ID:  1017677
SecurityTracker URL:  http://securitytracker.com/id/1017677
CVE Reference:   CVE-2007-1036   (Links to External Site)
Updated:  May 19 2008
Original Entry Date:  Feb 21 2007
Impact:   User access via network
Vendor Confirmed:  Yes  

Description:   A vulnerability was reported in JBoss. A remote user can access the administrative interface in default configurations.

By default, JBoss servers are configured to permit remote users to access the administrative interface.

Ben Dexter reported this vulnerability.

Impact:   A remote user can gain administrative access.
Solution:   The vendor provides a description on how to appropriately secure the console, available at the following URLs:

http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureJBoss
http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureTheJmxConsole

Vendor URL:  www.jboss.com/ (Links to External Site)
Cause:   Configuration error
Underlying OS:   Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Date:  20 Feb 2007 13:06:24 -0000
Subject:  Jboss vulnerability

Just fired this off to USCERT, not pretty.

---------------------------- Original Message ----------------------------
Subject: jboss vulnerability
From:    dexie@tsn.cc
Date:    Tue, February 20, 2007 10:54 pm
To:      "cert@cert.org" <cert@cert.org>
Cc:      "soc@us-cert.gov" <soc@us-cert.gov>
--------------------------------------------------------------------------

Hi guys.

I am an IT Security analyst in Canberra, Australia.

I recently encountered an issue with jboss, which led me to do some Google
enumeration...

http://www.google.com.au/search?q=inurl:inspectMBean

The search will pull up around 41500 results. Click on any of the links
and you will gain access to the backend app (ie start/stop services,
modify data,etc). I do not know if this will work in all cases, however I
would recommend a good deal of caution if you do follow any of the links.

Please let me know if you need any further info - I have nfi who to
actually contact as auscert has no vulnerability reporting option and this
is a first for me...


Regards,
Ben Dexter.
+61 2 6207 0368


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC