This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 510023 - (CVE-2009-2405) CVE-2009-2405 JBoss Application Server Web Console XSS
CVE-2009-2405 JBoss Application Server Web Console XSS
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
reported=20090707,source=secunia,publ...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-07-07 09:13 EDT by Mark J. Cox (Product Security)
Modified: 2016-03-04 06:09 EST (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-07-29 04:19:29 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
A fix for the Web Console XSS issue (3.40 KB, patch)
2009-07-13 11:08 EDT, Farah Juma
no flags Details | Diff
A revised fix for the Web Console XSS issue (27.47 KB, patch)
2009-07-16 16:55 EDT, Farah Juma
no flags Details | Diff

  None (edit)
Description Mark J. Cox (Product Security) 2009-07-07 09:13:09 EDT
We have received information from a third party regarding
vulnerabilities in JBoss Application Server.

Input passed to the "monitorName", "objectName", "attribute", and
"period" parameters in createSnapshot.jsp and to the "monitorName",
"objectName", "attribute", "threshold", "period", and "enabled"
parameters in createThresholdMonitor.jsp of the JBoss Web Console is not
properly sanitised before being returned to the user. This can be
exploited to execute arbitrary HTML and script code in a user's browser
session in context of an affected site.

The vulnerabilties are confirmed in version 5.1.0GA. Other versions may
also be affected.

The preliminary disclosure date has been set to July 22th, 2009.
Comment 2 Farah Juma 2009-07-13 11:08:22 EDT
Created attachment 351481 [details]
A fix for the Web Console XSS issue

I was also able to reproduce this issue using EAP 4.3 CP05 and EAP 4.2 CP07.

Attached a patch:

The patch escapes HTML tags (i.e. converts "<" to "&lt;" and ">" to "&gt;") to make sure that the parameters to createSnapshot.jsp and createThresholdMonitor.jsp are sanitized before being displayed to the user. I will ask Dimitris to take a look at this patch.
Comment 3 Farah Juma 2009-07-14 15:10:46 EDT
Today, Brian and I found that our patch currently does not handle an input like:

aaa" onmouseover=alert(1) "

In this case, moving the mouse over the input field causes a box to pop up. We are currently working on revising our patch to deal with this case as well.
Comment 5 Farah Juma 2009-07-16 16:55:03 EDT
Created attachment 354047 [details]
A revised fix for the Web Console XSS issue

Brian and I have revised our patch so that single quotes and double quotes in the input are also escaped (i.e. we convert "'" to "&apos;" and """ to "&quot;"). We will commit our patch to the JBPAPP_4_2_0_GA_CP branch, Branch_5_x, and trunk.
Comment 6 Farah Juma 2009-07-17 11:08:45 EDT
We have applied the patch to the JBPAPP_4_2_0_GA_CP branch, Branch_5_x, and trunk.

(See:
https://jira.jboss.org/jira/browse/JBPAPP-2274 and
https://jira.jboss.org/jira/browse/JBAS-7105 )
Comment 7 Farah Juma 2009-07-20 15:29:50 EDT
I have also applied the patch to the JBPAPP_5_0 branch. 

(See:
https://jira.jboss.org/jira/browse/JBPAPP-2284 )
Comment 9 errata-xmlrpc 2009-12-09 18:14:10 EST
This issue has been addressed in following products:

  JBEAP 4.3.0 for RHEL 4

Via RHSA-2009:1636 https://rhn.redhat.com/errata/RHSA-2009-1636.html
Comment 10 errata-xmlrpc 2009-12-09 18:32:23 EST
This issue has been addressed in following products:

  JBEAP 4.2.0 for RHEL 4

Via RHSA-2009:1637 https://rhn.redhat.com/errata/RHSA-2009-1637.html
Comment 11 errata-xmlrpc 2009-12-09 18:51:54 EST
This issue has been addressed in following products:

  JBEAP 4.3.0 for RHEL 5

Via RHSA-2009:1649 https://rhn.redhat.com/errata/RHSA-2009-1649.html
Comment 12 errata-xmlrpc 2009-12-09 19:03:54 EST
This issue has been addressed in following products:

  JBEAP 4.2.0 for RHEL 5

Via RHSA-2009:1650 https://rhn.redhat.com/errata/RHSA-2009-1650.html
Comment 13 David Jorm 2014-01-02 17:16:03 EST
Statement:

This flaw does not affect Red Hat JBoss Enterprise Application Platform 5 or 6. Older versions of the community JBoss Application Server 5.x may be affected.

Note You need to log in before you can comment on or make changes to this bug.