Vigil@nce - Oracle GlassFish Server: Authentication bypass via the administration console
May 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
A remote attacker can bypass authentication of the administration
console in order to obtain sensitive data.
Severity: 2/4
Creation date: 12/05/2011
IMPACTED PRODUCTS
- Oracle GlassFish Enterprise Server
DESCRIPTION OF THE VULNERABILITY
The administration console of Sun GlassFish Enterprise Server and
Oracle GlassFish Server listens on port 4848/tcp.
However, this service does not correctly validate HTTP TRACE
queries. The query is then processed with no authentication.
A remote attacker can therefore bypass authentication of the
administration console in order to obtain sensitive data.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN