I have discovered a security hole via port 8083. If you make an HTTP GET request against the following URL via mozilla 1.0:
JBoss returns mal-formed XML revealing data sources, userids and passwords. I have confirmed this behavior on jboss-3.0.0 and jboss-3.0.2 on a clean install on redhat 7.2 and sunos 5.6. With a default install this looks like:
guest jboss.mq:service=StateManager sa sa jboss.jca:service=LocalTxCM,name=hsqldbDS sysdba sysdba masterkey jboss.jca:service=XaTxCM,name=FirebirdDS guest guest guest jboss.jca:service=XaTxCM,name=jmsra
But, of course with my oracle installation at work, we've just given away the keys to the palace! Hopefully somebody can tell me what to do.
I was going to post a related question. Since you are here first, I am just appending my question.
It looks like an anonymous client can download any class in JBoss server through WebService. Is there any security measure to prevent malicious users from stealing sensitive information? It is very important issue for us.
Any input will be greatly appreciated.