A DOM based cross-site scripting flaw was found in the way the administrative console of the JBoss Application Server processed some certain messages (the 'onerror' argument was not sanitized prior further use). A remote attacker could provide a specially-crafted web page and trick the valid JBoss AS user, with the administrator privilege, to visit it, which would lead into the DOM environment modification and arbitrary HTML or web script execution.
Red Hat would like to thank David Black for reporting this issue.
Is there a more precise description of the flaw?
(In reply to comment #4)
> Is there a more precise description of the flaw?
Sure. My original email wasn't copied into this bug report, so I will include parts of it below:
"It goes like this ... when you visit a page like -->
an error is recorded (you can see this in console.log). While it
doesn't trigger at this point(as it shouldn't). A "messages" button
which you can click on .. and "view" the information about the failure
will be shown( a "messages" button - at the bottom right of the page).
In the respective pop up, (if clicked) the xss will be triggered.
I have attached a screen-shot to show it triggering in the latest
stable version of chrome using jboss 7.02 which I downloaded
Please let me know if you would like the screen-shot which I sent in the email.
(In reply to comment #6)
> (In reply to comment #4)
> > Is there a more precise description of the flaw?
> Sure. My original email wasn't copied into this bug report, so I will include
> parts of it below:
> Please let me know if you would like the screen-shot which I sent in the email.
your original message was copied to this bug report too, but rather as private comment (just FYI). Jean-Frederic is already aware of it.
P.S.: The screenshot was attached too.
Hm I am not able to reproduce it with jboss-as-7.1.0.Alpha2-SNAPSHOT which version are you testing?
I was testing jboss 7.02 (in chrome). If you are using firefox, you may need to switch the chrome/chromium to test it. Firefox and chrome can (depending on the method of access) provide different "values" for location.hash.
If it is accessed like this -->
var something = location.href.split("#") || "" ;
chrome and firefox can provide different results.
I can't reproduce it too. It uses gwt that is not my cup of tea.
You should assign it to Heiko Braun and retest with a new chrome version (may be there is a problem there).
I can reproduce this issue on JBoss AS 7.0.2.Final and EAP 6.0.0.Alpha2 (AS 7.1.0.Alpha1-redhat-1). I think the line wrapping in BZ has confused the initial report. In the URL:
There must be a space where the newline is: ...onerror=alert(1) src="...
Has been fixed here: https://github.com/heiko-braun/as7-console/commit/6e9146067cc05ea3c84305aa159d9c5036fe4383
Will be included in AS 7.1 (or Console 1.0.0.Beta19)
This issue is now resolved in JBoss AS 7.1.0 Beta 1.
Not vulnerable. This issue only affects community JBoss AS 7 prior to 7.1.0 Beta 1. It does not affect components shipped with any Red Hat products.