847.221.0200  Main Office
800.925.0559  INCIDENT RESPONSE HOTLINE
Back to Main Blog

CVE-2013-3734 – JBoss AS Administration Console – Password Returned in Later Response

Product: Embedded Jopr – JBoss AS Administration Console

Vendor: Red Hat Middleware, LLC

Version: < 1.2

Tested Version: 1.2

Vendor Notified Date: May 29, 2013

Release Date: June 03, 2013

Risk: Moderate

Authentication: Required

Remote: Yes

 

Description:

Passwords submitted to the application are returned in clear form in later responses from the application. Although the password filed is masked, it is viewable via the page source regardless of SSL.

This behavior increases the risk that passwords will be captured by an attacker.

Specifically, this can be leveraged to pivot and gain access to configured databases by viewing the page source or using browser tools such as “inspect element” in chrome and firefox.

Successful exploitation of this vulnerability results in taking complete control of database servers.

 

Exploit steps for proof-of-concept:

  1. Navigate to: JBossAS Servers> JBoss AS> Resources> Datasources
  2. Select Datasource
  3. View page source
  4. Find input type=”password”
  5. “value=” will contain the database password.
  6. Dump database.

 

Vendor Notified: Yes

Vendor Response: Does not consider this to be an exploitable security flaw due to type authenticated.

 

Reference:

CVE-2013-3734

 


* Get an image next to your comment by visiting Gravatar.com and uploading a profile photo that links to your email.

Post a Comment

All fields required unless otherwise noted.



We will never share or sell your email address.