510023 – (CVE-2009-2405) CVE-2009-2405 JBoss Application Server Web Console XSS

Bug 510023 (CVE-2009-2405) - CVE-2009-2405 JBoss Application Server Web Console XSS

Summary: CVE-2009-2405 JBoss Application Server Web Console XSS

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2009-2405
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2009-07-07 13:13 UTC by Mark J. Cox
Modified:	2021-02-25 12:59 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-07-29 08:19:29 UTC
Embargoed:

Attachments	(Terms of Use)
A fix for the Web Console XSS issue (3.40 KB, patch) 2009-07-13 15:08 UTC, Farah Juma	no flags	Details \| Diff
A revised fix for the Web Console XSS issue (27.47 KB, patch) 2009-07-16 20:55 UTC, Farah Juma	no flags	Details \| Diff
Show Obsolete (1) View All

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2009:1636	normal	SHIPPED_LIVE	Moderate: JBoss Enterprise Application Platform 4.3.0.CP07 update	2009-12-09 23:14:02 UTC
Red Hat Product Errata	RHSA-2009:1637	normal	SHIPPED_LIVE	Moderate: JBoss Enterprise Application Platform 4.2.0.CP08 update	2009-12-09 23:32:14 UTC
Red Hat Product Errata	RHSA-2009:1649	normal	SHIPPED_LIVE	Moderate: JBoss Enterprise Application Platform 4.3.0.CP07 update	2009-12-09 23:51:47 UTC
Red Hat Product Errata	RHSA-2009:1650	normal	SHIPPED_LIVE	Moderate: JBoss Enterprise Application Platform 4.2.0.CP08 update	2009-12-10 00:03:48 UTC

Description Mark J. Cox 2009-07-07 13:13:09 UTC

We have received information from a third party regarding
vulnerabilities in JBoss Application Server.

Input passed to the "monitorName", "objectName", "attribute", and
"period" parameters in createSnapshot.jsp and to the "monitorName",
"objectName", "attribute", "threshold", "period", and "enabled"
parameters in createThresholdMonitor.jsp of the JBoss Web Console is not
properly sanitised before being returned to the user. This can be
exploited to execute arbitrary HTML and script code in a user's browser
session in context of an affected site.

The vulnerabilties are confirmed in version 5.1.0GA. Other versions may
also be affected.

The preliminary disclosure date has been set to July 22th, 2009.

Comment 2 Farah Juma 2009-07-13 15:08:22 UTC

Created attachment 351481 [details]
A fix for the Web Console XSS issue

I was also able to reproduce this issue using EAP 4.3 CP05 and EAP 4.2 CP07.

Attached a patch:

The patch escapes HTML tags (i.e. converts "<" to "&lt;" and ">" to "&gt;") to make sure that the parameters to createSnapshot.jsp and createThresholdMonitor.jsp are sanitized before being displayed to the user. I will ask Dimitris to take a look at this patch.

Comment 3 Farah Juma 2009-07-14 19:10:46 UTC

Today, Brian and I found that our patch currently does not handle an input like:

aaa" onmouseover=alert(1) "

In this case, moving the mouse over the input field causes a box to pop up. We are currently working on revising our patch to deal with this case as well.

Comment 5 Farah Juma 2009-07-16 20:55:03 UTC

Created attachment 354047 [details]
A revised fix for the Web Console XSS issue

Brian and I have revised our patch so that single quotes and double quotes in the input are also escaped (i.e. we convert "'" to "&apos;" and """ to "&quot;"). We will commit our patch to the JBPAPP_4_2_0_GA_CP branch, Branch_5_x, and trunk.

Comment 6 Farah Juma 2009-07-17 15:08:45 UTC

We have applied the patch to the JBPAPP_4_2_0_GA_CP branch, Branch_5_x, and trunk.

(See:
https://jira.jboss.org/jira/browse/JBPAPP-2274 and
https://jira.jboss.org/jira/browse/JBAS-7105 )

Comment 7 Farah Juma 2009-07-20 19:29:50 UTC

I have also applied the patch to the JBPAPP_5_0 branch. 

(See:
https://jira.jboss.org/jira/browse/JBPAPP-2284 )

Comment 9 errata-xmlrpc 2009-12-09 23:14:10 UTC

This issue has been addressed in following products:

  JBEAP 4.3.0 for RHEL 4

Via RHSA-2009:1636 https://rhn.redhat.com/errata/RHSA-2009-1636.html

Comment 10 errata-xmlrpc 2009-12-09 23:32:23 UTC

This issue has been addressed in following products:

  JBEAP 4.2.0 for RHEL 4

Via RHSA-2009:1637 https://rhn.redhat.com/errata/RHSA-2009-1637.html

Comment 11 errata-xmlrpc 2009-12-09 23:51:54 UTC

This issue has been addressed in following products:

  JBEAP 4.3.0 for RHEL 5

Via RHSA-2009:1649 https://rhn.redhat.com/errata/RHSA-2009-1649.html

Comment 12 errata-xmlrpc 2009-12-10 00:03:54 UTC

This issue has been addressed in following products:

  JBEAP 4.2.0 for RHEL 5

Via RHSA-2009:1650 https://rhn.redhat.com/errata/RHSA-2009-1650.html

Comment 13 David Jorm 2014-01-02 22:16:03 UTC

Statement:

This flaw does not affect Red Hat JBoss Enterprise Application Platform 5 or 6. Older versions of the community JBoss Application Server 5.x may be affected.

Note You need to log in before you can comment on or make changes to this bug.