Bug 742984 (CVE-2011-3606)
Summary: | CVE-2011-3606 JBoss AS: DOM based XSS in the administration console | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | disclosure, djorm, dwalluck, fnasser, jclere, mbenitez, pcheung, security-response-team |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2011-12-02 03:41:47 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 743016 |
Description
Jan Lieskovsky
2011-10-03 13:52:13 UTC
Acknowledgements: Red Hat would like to thank David Black for reporting this issue. Is there a more precise description of the flaw? (In reply to comment #4) > Is there a more precise description of the flaw? Sure. My original email wasn't copied into this bug report, so I will include parts of it below: "It goes like this ... when you visit a page like --> http://localhost:9990/console/App.html#<video onerror=alert(1) src="loaskdfjsaldfj">xxxx an error is recorded (you can see this in console.log). While it doesn't trigger at this point(as it shouldn't). A "messages" button which you can click on .. and "view" the information about the failure will be shown( a "messages" button - at the bottom right of the page). In the respective pop up, (if clicked) the xss will be triggered. I have attached a screen-shot to show it triggering in the latest stable version of chrome using jboss 7.02 which I downloaded yesterday." Please let me know if you would like the screen-shot which I sent in the email. (In reply to comment #6) > (In reply to comment #4) > > Is there a more precise description of the flaw? > > Sure. My original email wasn't copied into this bug report, so I will include > parts of it below: [..] > Please let me know if you would like the screen-shot which I sent in the email. Hi David, your original message was copied to this bug report too, but rather as private comment (just FYI). Jean-Frederic is already aware of it. HTH Jan P.S.: The screenshot was attached too. AH ok. Hm I am not able to reproduce it with jboss-as-7.1.0.Alpha2-SNAPSHOT which version are you testing? I was testing jboss 7.02 (in chrome). If you are using firefox, you may need to switch the chrome/chromium to test it. Firefox and chrome can (depending on the method of access) provide different "values" for location.hash. If it is accessed like this --> var something = location.href.split("#")[1] || "" ; chrome and firefox can provide different results. I can't reproduce it too. It uses gwt that is not my cup of tea. You should assign it to Heiko Braun and retest with a new chrome version (may be there is a problem there). I can reproduce this issue on JBoss AS 7.0.2.Final and EAP 6.0.0.Alpha2 (AS 7.1.0.Alpha1-redhat-1). I think the line wrapping in BZ has confused the initial report. In the URL: http://localhost:9990/console/App.html#<video onerror=alert(1) src="loaskdfjsaldfj">xxxx There must be a space where the newline is: ...onerror=alert(1) src="... Has been fixed here: https://github.com/heiko-braun/as7-console/commit/6e9146067cc05ea3c84305aa159d9c5036fe4383 Will be included in AS 7.1 (or Console 1.0.0.Beta19) This issue is now resolved in JBoss AS 7.1.0 Beta 1. Statement: Not vulnerable. This issue only affects community JBoss AS 7 prior to 7.1.0 Beta 1. It does not affect components shipped with any Red Hat products. |