1 Reply Latest reply on Feb 7, 2004 1:37 AM by starksm64

JBoss 3.2.x security hole

jneuhoff Dec 12, 2003 6:19 AM

It is possible to retrieve certain files such as the web.xml because of some security holes on port 8083. JBoss uses the latter for its internal web service (class loading). For example, a URL like this one

www.someserver.com/WEB-INF./web.xml

gets the web.xml file.

Is there a way to disable the JBoss web service? All we need JBoss for is as an EJB container and persistence manager, with some entity beans whose methods are being remotely invoked upon through an HTTP RDF protocol. We have this in the jboss-service.xml:

 <mbean code="org.jboss.web.WebService"
 name="jboss:service=WebService">
 <attribute name="Port">8083</attribute>
 <attribute name="BindAddress">..IP address..</attribute>
 <!-- Should resources and non-EJB classes be downloadable -->
 <attribute name="DownloadServerClasses">true</attribute>
 </mbean>

1. Re: JBoss 3.2.x security hole

starksm64 Feb 7, 2004 1:37 AM (in response to jneuhoff)

Either set DownloadServerClasses to only allow downloading of EJB classes:

false

or remove the service from the conf/jboss-service.xml altogether as its not needed.
Actions