ACROS Security: HTML Injection in JRun Management Console

From: ACROS Security (lists_at_acros.si)
Date: 10/14/04

  • Next message: ACROS Security: "ACROS Security: Session Fixation in JRun Management Console"
    To: <bugtraq@securityfocus.com>, <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>, <cert@cert.org>
    Date: Thu, 14 Oct 2004 12:11:13 +0200
    
    

    =====[BEGIN-ACROS-REPORT]=====

    PUBLIC

    =========================================================================
    ACROS Security Problem Report #2004-10-14-1
    -------------------------------------------------------------------------
    ASPR #2004-10-14-1: HTML Injection in JRun Management Console
    =========================================================================

    Document ID: ASPR #2004-10-14-1-PUB
    Vendor: Macromedia (http://www.macromedia.com)
    Target: JRun 4 for Windows, Service Pack 1a
    Impact: An HTML injection vulnerability exists in JRun
                     Management Console, enabling attackers to hijack
                     administrative sessions using cross site scripting
    Severity: Medium
    Status: Official patch available, workaround available
    Discovered by: Mitja Kolsek of ACROS Security

    Current version
       http://www.acrossecurity.com/aspr/ASPR-2004-10-14-1-PUB.txt

    Summary
    =======

    An HTML injection vulnerability exists in JRun 4 Management Console,
    allowing the attacker to acquire the session ID of a management session and
    subsequently enter that session without administrator noticing it.

    Product Coverage
    ================

    - JRun 4 for Windows, Service Pack 1a - affected

    All updaters applied, up to and excluding JRun4 Updater 4.
    Other versions may also be affected.

    Analysis
    ========

    Cross site scripting is a very common problem with web-based applications.
    Basically it is present whenever the server is willing to include user's
    input data, which contains some client-side script (e.g. JavaScript), back
    to the browser unsanitized, somewhere within the generated web page. This
    script, when executed, has access to all information within and about the
    received web page, including the cookies.

    JRun employs so-called "session cookies" for HTTP session maintenance. After
    administrator's login to Management Console, JRun server generates a unique
    session identifier (session ID) and sends it to administrator's browser
    as a cookie named JSESSIONID. This session ID effectively becomes a static
    password for the session, meaning that until the session times out or is
    closed by the logged in administrator (by logging off), any browser with
    access to port 8000 of JRun server and knowledge of the session ID will have
    access to this session, and thereby access to administration of JRun
    application servers.

    Mitigating Factors
    ==================

    1) Attacker must lure the JRun administrator into visiting a hostile web
    site
       while he (admin) has an authenticated session with the JRun Management
       Console.

    Solution
    ========

    Macromedia has issued a security bulletin [1] and published JRun4 Updater 4,
    which fixes this issue. Affected users can download the updater from
    http://www.macromedia.com/support/jrun/updaters.html

    Workaround
    ==========

    - Don't allow potential attackers access to port 8000 of JRun server.
    - Don't browse around or read HTML e-mail while administering JRun server.
    - Always close all browser instances/windows before logging in to JRun
      Management Console.

    References
    ==========

    [1] Macromedia Security Bulletin MPSB04-08
        http://www.macromedia.com/devnet/security/security_zone/mpsb04-08.html

    Acknowledgments
    ===============

    We would like to acknowledge Macromedia for response to our notification of
    the identified vulnerability.

    Contact
    =======

    ACROS d.o.o.
    Makedonska ulica 113
    SI - 2000 Maribor

    e-mail: security@acrossecurity.com
    web: http://www.acrossecurity.com
    phone: +386 2 3000 280
    fax: +386 2 3000 282

    ACROS Security PGP Key
       http://www.acrossecurity.com/pgpkey.asc
       [Fingerprint: FE9E 0CFB CE41 36B0 4720 C4F1 38A3 F7DD]

    ACROS Security Advisories
       http://www.acrossecurity.com/advisories.htm

    ACROS Security Papers
       http://www.acrossecurity.com/papers.htm

    ASPR Notification and Publishing Policy
       http://www.acrossecurity.com/asprNotificationAndPublishingPolicy.htm

    Disclaimer
    ==========

    The content of this report is purely informational and meant only for the
    purpose of education and protection. ACROS d.o.o. shall in no event be
    liable for any damage whatsoever, direct or implied, arising from use or
    spread of this information. All identifiers (hostnames, IP addresses,
    company names, individual names etc.) used in examples and demonstrations
    are used only for explanatory purposes and have no connection with any
    real host, company or individual. In no event should it be assumed that
    use of these names means specific hosts, companies or individuals are
    vulnerable to any attacks nor does it mean that they consent to being used
    in any vulnerability tests. The use of information in this report is
    entirely at user's risk.

    Revision History
    ================

    October 14, 2004: Initial release

    Copyright
    =========

    (c) 2004 ACROS d.o.o. Forwarding and publishing of this document is
    permitted providing the content between "[BEGIN-ACROS-REPORT]" and
    "[END-ACROS-REPORT]" marks remains unchanged.

    =====[END-ACROS-REPORT]=====


  • Next message: ACROS Security: "ACROS Security: Session Fixation in JRun Management Console"