We have received information from a third party regarding vulnerabilities in JBoss Application Server. Input passed to the "monitorName", "objectName", "attribute", and "period" parameters in createSnapshot.jsp and to the "monitorName", "objectName", "attribute", "threshold", "period", and "enabled" parameters in createThresholdMonitor.jsp of the JBoss Web Console is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. The vulnerabilties are confirmed in version 5.1.0GA. Other versions may also be affected. The preliminary disclosure date has been set to July 22th, 2009.
Created attachment 351481 [details] A fix for the Web Console XSS issue I was also able to reproduce this issue using EAP 4.3 CP05 and EAP 4.2 CP07. Attached a patch: The patch escapes HTML tags (i.e. converts "<" to "<" and ">" to ">") to make sure that the parameters to createSnapshot.jsp and createThresholdMonitor.jsp are sanitized before being displayed to the user. I will ask Dimitris to take a look at this patch.
Today, Brian and I found that our patch currently does not handle an input like: aaa" onmouseover=alert(1) " In this case, moving the mouse over the input field causes a box to pop up. We are currently working on revising our patch to deal with this case as well.
Created attachment 354047 [details] A revised fix for the Web Console XSS issue Brian and I have revised our patch so that single quotes and double quotes in the input are also escaped (i.e. we convert "'" to "'" and """ to """). We will commit our patch to the JBPAPP_4_2_0_GA_CP branch, Branch_5_x, and trunk.
We have applied the patch to the JBPAPP_4_2_0_GA_CP branch, Branch_5_x, and trunk. (See: https://jira.jboss.org/jira/browse/JBPAPP-2274 and https://jira.jboss.org/jira/browse/JBAS-7105 )
I have also applied the patch to the JBPAPP_5_0 branch. (See: https://jira.jboss.org/jira/browse/JBPAPP-2284 )
This issue has been addressed in following products: JBEAP 4.3.0 for RHEL 4 Via RHSA-2009:1636 https://rhn.redhat.com/errata/RHSA-2009-1636.html
This issue has been addressed in following products: JBEAP 4.2.0 for RHEL 4 Via RHSA-2009:1637 https://rhn.redhat.com/errata/RHSA-2009-1637.html
This issue has been addressed in following products: JBEAP 4.3.0 for RHEL 5 Via RHSA-2009:1649 https://rhn.redhat.com/errata/RHSA-2009-1649.html
This issue has been addressed in following products: JBEAP 4.2.0 for RHEL 5 Via RHSA-2009:1650 https://rhn.redhat.com/errata/RHSA-2009-1650.html
Statement: This flaw does not affect Red Hat JBoss Enterprise Application Platform 5 or 6. Older versions of the community JBoss Application Server 5.x may be affected.