Bug 742984 (CVE-2011-3606) - CVE-2011-3606 JBoss AS: DOM based XSS in the administration console
Summary: CVE-2011-3606 JBoss AS: DOM based XSS in the administration console
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2011-3606
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 743016
TreeView+ depends on / blocked
 
Reported: 2011-10-03 13:52 UTC by Jan Lieskovsky
Modified: 2023-05-12 16:57 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-12-02 03:41:47 UTC
Embargoed:


Attachments (Terms of Use)

Description Jan Lieskovsky 2011-10-03 13:52:13 UTC
A DOM based cross-site scripting flaw was found in the way the administrative console of the JBoss Application Server processed some certain messages (the 'onerror' argument was not sanitized prior further use). A remote attacker could provide a specially-crafted web page and trick the valid JBoss AS user, with the administrator privilege, to visit it, which would lead into the DOM environment modification and arbitrary HTML or web script execution.

Comment 3 Jan Lieskovsky 2011-10-03 16:30:33 UTC
Acknowledgements:

Red Hat would like to thank David Black for reporting this issue.

Comment 4 Jean-frederic Clere 2011-10-04 06:23:50 UTC
Is there a more precise description of the flaw?

Comment 6 David 2011-10-04 10:38:38 UTC
(In reply to comment #4)
> Is there a more precise description of the flaw?

Sure. My original email wasn't copied into this bug report, so I will include parts of it below:

"It goes like this ... when you visit a page like  -->
http://localhost:9990/console/App.html#<video onerror=alert(1)
src="loaskdfjsaldfj">xxxx

an error is recorded (you can see this in console.log). While it
doesn't trigger at this point(as it shouldn't). A "messages" button
which you can click on .. and "view" the information about the failure
will be shown( a "messages" button - at the bottom right of the page).
In the respective pop up, (if clicked) the xss will be triggered.
I have attached a screen-shot to show it triggering in the latest
stable version of chrome using jboss 7.02 which I downloaded
yesterday."

Please let me know if you would like the screen-shot which I sent in the email.

Comment 7 Jan Lieskovsky 2011-10-04 10:50:07 UTC
(In reply to comment #6)
> (In reply to comment #4)
> > Is there a more precise description of the flaw?
> 
> Sure. My original email wasn't copied into this bug report, so I will include
> parts of it below:
[..]
> Please let me know if you would like the screen-shot which I sent in the email.

Hi David,

  your original message was copied to this bug report too, but rather as private comment (just FYI). Jean-Frederic is already aware of it.

HTH
Jan

P.S.: The screenshot was attached too.

Comment 8 David 2011-10-04 11:12:06 UTC
AH ok.

Comment 9 Jean-frederic Clere 2011-10-05 09:09:03 UTC
Hm I am not able to reproduce it with  jboss-as-7.1.0.Alpha2-SNAPSHOT which version are you testing?

Comment 10 David 2011-10-05 11:11:48 UTC
I was testing jboss 7.02 (in chrome). If you are using firefox, you may need to switch the chrome/chromium to test it. Firefox and chrome can (depending on the method of access) provide different "values" for location.hash. 

If it is accessed like this  --> 
var something = location.href.split("#")[1] || "" ;
chrome and firefox can provide different results.

Comment 11 Jean-frederic Clere 2011-10-05 13:14:31 UTC
I can't reproduce it too. It uses gwt that is not my cup of tea.
You should assign it to Heiko Braun and retest with a new chrome version (may be there is a problem there).

Comment 12 David Jorm 2011-10-06 07:48:00 UTC
I can reproduce this issue on JBoss AS 7.0.2.Final and EAP 6.0.0.Alpha2 (AS 7.1.0.Alpha1-redhat-1). I think the line wrapping in BZ has confused the initial report. In the URL:

http://localhost:9990/console/App.html#<video onerror=alert(1)
src="loaskdfjsaldfj">xxxx

There must be a space where the newline is: ...onerror=alert(1) src="...

Comment 14 David Jorm 2011-10-07 02:13:14 UTC
Has been fixed here: https://github.com/heiko-braun/as7-console/commit/6e9146067cc05ea3c84305aa159d9c5036fe4383

Will be included in AS 7.1 (or Console 1.0.0.Beta19)

Comment 16 David Jorm 2011-12-01 05:10:36 UTC
This issue is now resolved in JBoss AS 7.1.0 Beta 1.

Comment 17 David Jorm 2011-12-02 03:41:47 UTC
Statement:

Not vulnerable. This issue only affects community JBoss AS 7 prior to 7.1.0 Beta 1. It does not affect components shipped with any Red Hat products.


Note You need to log in before you can comment on or make changes to this bug.