Bugtraq mailing list archives
Re: Jboss vulnerability
From: Harry Hoffman <hhoffman () ip-solutions net>
Date: Tue, 20 Feb 2007 11:30:35 -0500
Hi, Hopefully this will help some of those with mis-configured jboss security. Although, IMHO, jboss should limit access out of the box :-( This is due to improperly configured admin access to jboss. The console and web mgmt are meant to be locked down but are not done so by default. The following directories should either be removed or have access limitations: $JBOSS_HOME/server/*/deploy/jmx-console.war $JBOSS_HOME/server/*/deploy/management $JBOSS_HOME/server/*/deploy/jbossweb-tomcat55.sar/ROOT.war See, http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureTheJmxConsole, for further information. Cheers, Harry dexie () tsn cc wrote:
Just fired this off to USCERT, not pretty. ---------------------------- Original Message ---------------------------- Subject: jboss vulnerability From: dexie () tsn cc Date: Tue, February 20, 2007 10:54 pm To: "cert () cert org" <cert () cert org> Cc: "soc () us-cert gov" <soc () us-cert gov> -------------------------------------------------------------------------- Hi guys. I am an IT Security analyst in Canberra, Australia. I recently encountered an issue with jboss, which led me to do some Google enumeration... http://www.google.com.au/search?q=inurl:inspectMBean The search will pull up around 41500 results. Click on any of the links and you will gain access to the backend app (ie start/stop services, modify data,etc). I do not know if this will work in all cases, however I would recommend a good deal of caution if you do follow any of the links. Please let me know if you need any further info - I have nfi who to actually contact as auscert has no vulnerability reporting option and this is a first for me... Regards, Ben Dexter. +61 2 6207 0368
Current thread:
- Jboss vulnerability dexie (Feb 20)
- Re: Jboss vulnerability James Davis (Feb 20)
- Re: Jboss vulnerability Harry Hoffman (Feb 20)
- Re: Jboss vulnerability Javier Antunez (Feb 20)
- Re: Jboss vulnerability (AUSCERT#2007d2feb) AusCERT (Feb 21)
- <Possible follow-ups>
- Re: Jboss vulnerability ben . dexter (Feb 20)