Bug 510023 (CVE-2009-2405) - CVE-2009-2405 JBoss Application Server Web Console XSS
Summary: CVE-2009-2405 JBoss Application Server Web Console XSS
Status: CLOSED ERRATA
Alias: CVE-2009-2405
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: reported=20090707,source=secunia,publ...
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-07-07 13:13 UTC by Mark J. Cox
Modified: 2016-03-04 11:09 UTC (History)
8 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2013-07-29 08:19:29 UTC


Attachments (Terms of Use)
A fix for the Web Console XSS issue (3.40 KB, patch)
2009-07-13 15:08 UTC, Farah Juma
no flags Details | Diff
A revised fix for the Web Console XSS issue (27.47 KB, patch)
2009-07-16 20:55 UTC, Farah Juma
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2009:1636 normal SHIPPED_LIVE Moderate: JBoss Enterprise Application Platform 4.3.0.CP07 update 2009-12-09 23:14:02 UTC
Red Hat Product Errata RHSA-2009:1637 normal SHIPPED_LIVE Moderate: JBoss Enterprise Application Platform 4.2.0.CP08 update 2009-12-09 23:32:14 UTC
Red Hat Product Errata RHSA-2009:1649 normal SHIPPED_LIVE Moderate: JBoss Enterprise Application Platform 4.3.0.CP07 update 2009-12-09 23:51:47 UTC
Red Hat Product Errata RHSA-2009:1650 normal SHIPPED_LIVE Moderate: JBoss Enterprise Application Platform 4.2.0.CP08 update 2009-12-10 00:03:48 UTC

Description Mark J. Cox 2009-07-07 13:13:09 UTC
We have received information from a third party regarding
vulnerabilities in JBoss Application Server.

Input passed to the "monitorName", "objectName", "attribute", and
"period" parameters in createSnapshot.jsp and to the "monitorName",
"objectName", "attribute", "threshold", "period", and "enabled"
parameters in createThresholdMonitor.jsp of the JBoss Web Console is not
properly sanitised before being returned to the user. This can be
exploited to execute arbitrary HTML and script code in a user's browser
session in context of an affected site.

The vulnerabilties are confirmed in version 5.1.0GA. Other versions may
also be affected.

The preliminary disclosure date has been set to July 22th, 2009.

Comment 2 Farah Juma 2009-07-13 15:08:22 UTC
Created attachment 351481 [details]
A fix for the Web Console XSS issue

I was also able to reproduce this issue using EAP 4.3 CP05 and EAP 4.2 CP07.

Attached a patch:

The patch escapes HTML tags (i.e. converts "<" to "&lt;" and ">" to "&gt;") to make sure that the parameters to createSnapshot.jsp and createThresholdMonitor.jsp are sanitized before being displayed to the user. I will ask Dimitris to take a look at this patch.

Comment 3 Farah Juma 2009-07-14 19:10:46 UTC
Today, Brian and I found that our patch currently does not handle an input like:

aaa" onmouseover=alert(1) "

In this case, moving the mouse over the input field causes a box to pop up. We are currently working on revising our patch to deal with this case as well.

Comment 5 Farah Juma 2009-07-16 20:55:03 UTC
Created attachment 354047 [details]
A revised fix for the Web Console XSS issue

Brian and I have revised our patch so that single quotes and double quotes in the input are also escaped (i.e. we convert "'" to "&apos;" and """ to "&quot;"). We will commit our patch to the JBPAPP_4_2_0_GA_CP branch, Branch_5_x, and trunk.

Comment 6 Farah Juma 2009-07-17 15:08:45 UTC
We have applied the patch to the JBPAPP_4_2_0_GA_CP branch, Branch_5_x, and trunk.

(See:
https://jira.jboss.org/jira/browse/JBPAPP-2274 and
https://jira.jboss.org/jira/browse/JBAS-7105 )

Comment 7 Farah Juma 2009-07-20 19:29:50 UTC
I have also applied the patch to the JBPAPP_5_0 branch. 

(See:
https://jira.jboss.org/jira/browse/JBPAPP-2284 )

Comment 9 errata-xmlrpc 2009-12-09 23:14:10 UTC
This issue has been addressed in following products:

  JBEAP 4.3.0 for RHEL 4

Via RHSA-2009:1636 https://rhn.redhat.com/errata/RHSA-2009-1636.html

Comment 10 errata-xmlrpc 2009-12-09 23:32:23 UTC
This issue has been addressed in following products:

  JBEAP 4.2.0 for RHEL 4

Via RHSA-2009:1637 https://rhn.redhat.com/errata/RHSA-2009-1637.html

Comment 11 errata-xmlrpc 2009-12-09 23:51:54 UTC
This issue has been addressed in following products:

  JBEAP 4.3.0 for RHEL 5

Via RHSA-2009:1649 https://rhn.redhat.com/errata/RHSA-2009-1649.html

Comment 12 errata-xmlrpc 2009-12-10 00:03:54 UTC
This issue has been addressed in following products:

  JBEAP 4.2.0 for RHEL 5

Via RHSA-2009:1650 https://rhn.redhat.com/errata/RHSA-2009-1650.html

Comment 13 David Jorm 2014-01-02 22:16:03 UTC
Statement:

This flaw does not affect Red Hat JBoss Enterprise Application Platform 5 or 6. Older versions of the community JBoss Application Server 5.x may be affected.


Note You need to log in before you can comment on or make changes to this bug.