1 Reply Latest reply on Sep 11, 2002 1:07 PM by seanxu

    HTTP GET on port 8083 reveals DB userids, passwords

    David Watson Newbie

      I have discovered a security hole via port 8083. If you make an HTTP GET request against the following URL via mozilla 1.0:

      http://yourserver:8083/login-config.xml

      JBoss returns mal-formed XML revealing data sources, userids and passwords. I have confirmed this behavior on jboss-3.0.0 and jboss-3.0.2 on a clean install on redhat 7.2 and sunos 5.6. With a default install this looks like:

      guest jboss.mq:service=StateManager sa sa jboss.jca:service=LocalTxCM,name=hsqldbDS sysdba sysdba masterkey jboss.jca:service=XaTxCM,name=FirebirdDS guest guest guest jboss.jca:service=XaTxCM,name=jmsra

      But, of course with my oracle installation at work, we've just given away the keys to the palace! Hopefully somebody can tell me what to do.

      Thanks,
      David