Bug 742984 (CVE-2011-3606)

Summary: CVE-2011-3606 JBoss AS: DOM based XSS in the administration console
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: disclosure, djorm, dwalluck, fnasser, jclere, mbenitez, pcheung, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-12-02 03:41:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 743016    

Description Jan Lieskovsky 2011-10-03 13:52:13 UTC
A DOM based cross-site scripting flaw was found in the way the administrative console of the JBoss Application Server processed some certain messages (the 'onerror' argument was not sanitized prior further use). A remote attacker could provide a specially-crafted web page and trick the valid JBoss AS user, with the administrator privilege, to visit it, which would lead into the DOM environment modification and arbitrary HTML or web script execution.

Comment 3 Jan Lieskovsky 2011-10-03 16:30:33 UTC
Acknowledgements:

Red Hat would like to thank David Black for reporting this issue.

Comment 4 Jean-frederic Clere 2011-10-04 06:23:50 UTC
Is there a more precise description of the flaw?

Comment 6 David 2011-10-04 10:38:38 UTC
(In reply to comment #4)
> Is there a more precise description of the flaw?

Sure. My original email wasn't copied into this bug report, so I will include parts of it below:

"It goes like this ... when you visit a page like  -->
http://localhost:9990/console/App.html#<video onerror=alert(1)
src="loaskdfjsaldfj">xxxx

an error is recorded (you can see this in console.log). While it
doesn't trigger at this point(as it shouldn't). A "messages" button
which you can click on .. and "view" the information about the failure
will be shown( a "messages" button - at the bottom right of the page).
In the respective pop up, (if clicked) the xss will be triggered.
I have attached a screen-shot to show it triggering in the latest
stable version of chrome using jboss 7.02 which I downloaded
yesterday."

Please let me know if you would like the screen-shot which I sent in the email.

Comment 7 Jan Lieskovsky 2011-10-04 10:50:07 UTC
(In reply to comment #6)
> (In reply to comment #4)
> > Is there a more precise description of the flaw?
> 
> Sure. My original email wasn't copied into this bug report, so I will include
> parts of it below:
[..]
> Please let me know if you would like the screen-shot which I sent in the email.

Hi David,

  your original message was copied to this bug report too, but rather as private comment (just FYI). Jean-Frederic is already aware of it.

HTH
Jan

P.S.: The screenshot was attached too.

Comment 8 David 2011-10-04 11:12:06 UTC
AH ok.

Comment 9 Jean-frederic Clere 2011-10-05 09:09:03 UTC
Hm I am not able to reproduce it with  jboss-as-7.1.0.Alpha2-SNAPSHOT which version are you testing?

Comment 10 David 2011-10-05 11:11:48 UTC
I was testing jboss 7.02 (in chrome). If you are using firefox, you may need to switch the chrome/chromium to test it. Firefox and chrome can (depending on the method of access) provide different "values" for location.hash. 

If it is accessed like this  --> 
var something = location.href.split("#")[1] || "" ;
chrome and firefox can provide different results.

Comment 11 Jean-frederic Clere 2011-10-05 13:14:31 UTC
I can't reproduce it too. It uses gwt that is not my cup of tea.
You should assign it to Heiko Braun and retest with a new chrome version (may be there is a problem there).

Comment 12 David Jorm 2011-10-06 07:48:00 UTC
I can reproduce this issue on JBoss AS 7.0.2.Final and EAP 6.0.0.Alpha2 (AS 7.1.0.Alpha1-redhat-1). I think the line wrapping in BZ has confused the initial report. In the URL:

http://localhost:9990/console/App.html#<video onerror=alert(1)
src="loaskdfjsaldfj">xxxx

There must be a space where the newline is: ...onerror=alert(1) src="...

Comment 14 David Jorm 2011-10-07 02:13:14 UTC
Has been fixed here: https://github.com/heiko-braun/as7-console/commit/6e9146067cc05ea3c84305aa159d9c5036fe4383

Will be included in AS 7.1 (or Console 1.0.0.Beta19)

Comment 16 David Jorm 2011-12-01 05:10:36 UTC
This issue is now resolved in JBoss AS 7.1.0 Beta 1.

Comment 17 David Jorm 2011-12-02 03:41:47 UTC
Statement:

Not vulnerable. This issue only affects community JBoss AS 7 prior to 7.1.0 Beta 1. It does not affect components shipped with any Red Hat products.