1 Reply Latest reply on Sep 11, 2002 1:07 PM by seanx

    HTTP GET on port 8083 reveals DB userids, passwords

    davidthewatson
    davidthewatson Sep 10, 2002 3:24 PM

      I have discovered a security hole via port 8083. If you make an HTTP GET request against the following URL via mozilla 1.0:

      http://yourserver:8083/login-config.xml

      JBoss returns mal-formed XML revealing data sources, userids and passwords. I have confirmed this behavior on jboss-3.0.0 and jboss-3.0.2 on a clean install on redhat 7.2 and sunos 5.6. With a default install this looks like:

      guest jboss.mq:service=StateManager sa sa jboss.jca:service=LocalTxCM,name=hsqldbDS sysdba sysdba masterkey jboss.jca:service=XaTxCM,name=FirebirdDS guest guest guest jboss.jca:service=XaTxCM,name=jmsra

      But, of course with my oracle installation at work, we've just given away the keys to the palace! Hopefully somebody can tell me what to do.

      Thanks,
      David

      • 4003 Views
      • Tags:
        • 1. Re: HTTP GET on port 8083 reveals DB userids, passwords
          seanx
          seanx Sep 11, 2002 1:07 PM (in response to davidthewatson)

          I was going to post a related question. Since you are here first, I am just appending my question.
          It looks like an anonymous client can download any class in JBoss server through WebService. Is there any security measure to prevent malicious users from stealing sensitive information? It is very important issue for us.

          Any input will be greatly appreciated.

            • Actions