1 Reply Latest reply on Feb 7, 2004 1:37 AM by Scott Stark

    JBoss 3.2.x security hole

    jneuhoff Newbie

      It is possible to retrieve certain files such as the web.xml because of some security holes on port 8083. JBoss uses the latter for its internal web service (class loading). For example, a URL like this one


      www.someserver.com/WEB-INF./web.xml

      gets the web.xml file.

      Is there a way to disable the JBoss web service? All we need JBoss for is as an EJB container and persistence manager, with some entity beans whose methods are being remotely invoked upon through an HTTP RDF protocol. We have this in the jboss-service.xml:

       <mbean code="org.jboss.web.WebService"
       name="jboss:service=WebService">
       <attribute name="Port">8083</attribute>
       <attribute name="BindAddress">..IP address..</attribute>
       <!-- Should resources and non-EJB classes be downloadable -->
       <attribute name="DownloadServerClasses">true</attribute>
       </mbean>