8:46 a.m.
Carlos Oliva created AS7-4929:
---------------------------------
Summary: JBoss7 Fails ASV Scan Report Attestation of Scan Compliance
Key: AS7-4929
URL: https://issues.jboss.org/browse/AS7-4929
Project: Application Server 7
Issue Type: Quality Risk
Affects Versions: 7.0.2.Final
Environment: Centos
Reporter: Carlos Oliva
Fix For: 7.0.2.SP1
ASV Scan Report Attestation of Scan Compliance. Vulnerabilities Noted for each IP
Address
https (tcp/443)
GET
/LETtoaCuluFoy4DePCwPLiT0HI1s36zHz9s712uSci
4zxnjnmPAmXpdcnGMYmVwDfBGtXI6zXgIJ1YC8lqJ0T
YlUP8hajSNTWZJH7RUk1K6JHLGgGnDaMfSojaxweHvj
cnRe3KKTJ8miLU3U3XnS4KZ4bihRqT2rIkowzQJHSk9
VbbQ26pdrzLoImGB4v9lqUFyewXsahnz55dwjEDBNRE
ZEbS7b67a<font%20size=50>DEFACED<!--//-- :
MyWebServer 1.0.2 is vulnerable to HTML
injection. Upgrade to a later version.
CVE-2002-1453
Medium 4.3 Fail
http (tcp/80)
GET
/LNSAZoL2iuV3PmcrZl0W5YhMwILOBPbZwzEHVi5QAM
dlOJcFL6Y0Ihv21bU7R3461Q80T3CFq9WqFvx3lfcgs
MIZ4MDac8YVcxkBralskmulwlrf5JnvLuewKZ402AkB
LBIK0CZY7ajOn7U9xzZ0LAgwAzrUaw9UViczNtTyvEK
hm7WnyF5dfR084QH966s324XgjXktxVXXaqe7xtf3d5
bTukJXDoo<font%20size=50>DEFACED<!--//-- :
MyWebServer 1.0.2 is vulnerable to HTML
injection. Upgrade to a later version.
CVE-2002-1453
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
9 a.m.
[
https://issues.jboss.org/browse/AS7-4929?page=com.atlassian.jira.plugin.s...
]
Darran Lofthouse updated AS7-4929:
----------------------------------
Fix Version/s: (was: 7.0.2.SP1)
JBoss7 Fails ASV Scan Report Attestation of Scan Compliance
-----------------------------------------------------------
Key: AS7-4929
URL: https://issues.jboss.org/browse/AS7-4929
Project: Application Server 7
Issue Type: Quality Risk
Affects Versions: 7.0.2.Final
Environment: Centos
Reporter: Carlos Oliva
Labels: jboss
ASV Scan Report Attestation of Scan Compliance. Vulnerabilities Noted for each IP
Address
https (tcp/443)
GET
/LETtoaCuluFoy4DePCwPLiT0HI1s36zHz9s712uSci
4zxnjnmPAmXpdcnGMYmVwDfBGtXI6zXgIJ1YC8lqJ0T
YlUP8hajSNTWZJH7RUk1K6JHLGgGnDaMfSojaxweHvj
cnRe3KKTJ8miLU3U3XnS4KZ4bihRqT2rIkowzQJHSk9
VbbQ26pdrzLoImGB4v9lqUFyewXsahnz55dwjEDBNRE
ZEbS7b67a<font%20size=50>DEFACED<!--//-- :
MyWebServer 1.0.2 is vulnerable to HTML
injection. Upgrade to a later version.
CVE-2002-1453
Medium 4.3 Fail
http (tcp/80)
GET
/LNSAZoL2iuV3PmcrZl0W5YhMwILOBPbZwzEHVi5QAM
dlOJcFL6Y0Ihv21bU7R3461Q80T3CFq9WqFvx3lfcgs
MIZ4MDac8YVcxkBralskmulwlrf5JnvLuewKZ402AkB
LBIK0CZY7ajOn7U9xzZ0LAgwAzrUaw9UViczNtTyvEK
hm7WnyF5dfR084QH966s324XgjXktxVXXaqe7xtf3d5
bTukJXDoo<font%20size=50>DEFACED<!--//-- :
MyWebServer 1.0.2 is vulnerable to HTML
injection. Upgrade to a later version.
CVE-2002-1453
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
9 a.m.
[
https://issues.jboss.org/browse/AS7-4929?page=com.atlassian.jira.plugin.s...
]
Darran Lofthouse commented on AS7-4929:
---------------------------------------
What is the deployed app that is being tested here?
JBoss7 Fails ASV Scan Report Attestation of Scan Compliance
-----------------------------------------------------------
Key: AS7-4929
URL: https://issues.jboss.org/browse/AS7-4929
Project: Application Server 7
Issue Type: Quality Risk
Affects Versions: 7.0.2.Final
Environment: Centos
Reporter: Carlos Oliva
Labels: jboss
ASV Scan Report Attestation of Scan Compliance. Vulnerabilities Noted for each IP
Address
https (tcp/443)
GET
/LETtoaCuluFoy4DePCwPLiT0HI1s36zHz9s712uSci
4zxnjnmPAmXpdcnGMYmVwDfBGtXI6zXgIJ1YC8lqJ0T
YlUP8hajSNTWZJH7RUk1K6JHLGgGnDaMfSojaxweHvj
cnRe3KKTJ8miLU3U3XnS4KZ4bihRqT2rIkowzQJHSk9
VbbQ26pdrzLoImGB4v9lqUFyewXsahnz55dwjEDBNRE
ZEbS7b67a<font%20size=50>DEFACED<!--//-- :
MyWebServer 1.0.2 is vulnerable to HTML
injection. Upgrade to a later version.
CVE-2002-1453
Medium 4.3 Fail
http (tcp/80)
GET
/LNSAZoL2iuV3PmcrZl0W5YhMwILOBPbZwzEHVi5QAM
dlOJcFL6Y0Ihv21bU7R3461Q80T3CFq9WqFvx3lfcgs
MIZ4MDac8YVcxkBralskmulwlrf5JnvLuewKZ402AkB
LBIK0CZY7ajOn7U9xzZ0LAgwAzrUaw9UViczNtTyvEK
hm7WnyF5dfR084QH966s324XgjXktxVXXaqe7xtf3d5
bTukJXDoo<font%20size=50>DEFACED<!--//-- :
MyWebServer 1.0.2 is vulnerable to HTML
injection. Upgrade to a later version.
CVE-2002-1453
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
9:12 a.m.
[
https://issues.jboss.org/browse/AS7-4929?page=com.atlassian.jira.plugin.s...
]
Carlos Oliva commented on AS7-4929:
-----------------------------------
The deployed application is a war app for displaying patient information. The address to
reach the app is http://portal.mcelroy-marcus.com/patientportal
I can make available the full report in pdf format. An upload button seems to be missiong
from this page.
JBoss7 Fails ASV Scan Report Attestation of Scan Compliance
-----------------------------------------------------------
Key: AS7-4929
URL: https://issues.jboss.org/browse/AS7-4929
Project: Application Server 7
Issue Type: Quality Risk
Affects Versions: 7.0.2.Final
Environment: Centos
Reporter: Carlos Oliva
Labels: jboss
ASV Scan Report Attestation of Scan Compliance. Vulnerabilities Noted for each IP
Address
https (tcp/443)
GET
/LETtoaCuluFoy4DePCwPLiT0HI1s36zHz9s712uSci
4zxnjnmPAmXpdcnGMYmVwDfBGtXI6zXgIJ1YC8lqJ0T
YlUP8hajSNTWZJH7RUk1K6JHLGgGnDaMfSojaxweHvj
cnRe3KKTJ8miLU3U3XnS4KZ4bihRqT2rIkowzQJHSk9
VbbQ26pdrzLoImGB4v9lqUFyewXsahnz55dwjEDBNRE
ZEbS7b67a<font%20size=50>DEFACED<!--//-- :
MyWebServer 1.0.2 is vulnerable to HTML
injection. Upgrade to a later version.
CVE-2002-1453
Medium 4.3 Fail
http (tcp/80)
GET
/LNSAZoL2iuV3PmcrZl0W5YhMwILOBPbZwzEHVi5QAM
dlOJcFL6Y0Ihv21bU7R3461Q80T3CFq9WqFvx3lfcgs
MIZ4MDac8YVcxkBralskmulwlrf5JnvLuewKZ402AkB
LBIK0CZY7ajOn7U9xzZ0LAgwAzrUaw9UViczNtTyvEK
hm7WnyF5dfR084QH966s324XgjXktxVXXaqe7xtf3d5
bTukJXDoo<font%20size=50>DEFACED<!--//-- :
MyWebServer 1.0.2 is vulnerable to HTML
injection. Upgrade to a later version.
CVE-2002-1453
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
9:16 a.m.
[
https://issues.jboss.org/browse/AS7-4929?page=com.atlassian.jira.plugin.s...
]
Radoslav Husar commented on AS7-4929:
-------------------------------------
Also not a very good idea to expose AS7 console to the public web:
http://mcelroy-marcus.com/
JBoss7 Fails ASV Scan Report Attestation of Scan Compliance
-----------------------------------------------------------
Key: AS7-4929
URL: https://issues.jboss.org/browse/AS7-4929
Project: Application Server 7
Issue Type: Quality Risk
Affects Versions: 7.0.2.Final
Environment: Centos
Reporter: Carlos Oliva
Labels: jboss
ASV Scan Report Attestation of Scan Compliance. Vulnerabilities Noted for each IP
Address
https (tcp/443)
GET
/LETtoaCuluFoy4DePCwPLiT0HI1s36zHz9s712uSci
4zxnjnmPAmXpdcnGMYmVwDfBGtXI6zXgIJ1YC8lqJ0T
YlUP8hajSNTWZJH7RUk1K6JHLGgGnDaMfSojaxweHvj
cnRe3KKTJ8miLU3U3XnS4KZ4bihRqT2rIkowzQJHSk9
VbbQ26pdrzLoImGB4v9lqUFyewXsahnz55dwjEDBNRE
ZEbS7b67a<font%20size=50>DEFACED<!--//-- :
MyWebServer 1.0.2 is vulnerable to HTML
injection. Upgrade to a later version.
CVE-2002-1453
Medium 4.3 Fail
http (tcp/80)
GET
/LNSAZoL2iuV3PmcrZl0W5YhMwILOBPbZwzEHVi5QAM
dlOJcFL6Y0Ihv21bU7R3461Q80T3CFq9WqFvx3lfcgs
MIZ4MDac8YVcxkBralskmulwlrf5JnvLuewKZ402AkB
LBIK0CZY7ajOn7U9xzZ0LAgwAzrUaw9UViczNtTyvEK
hm7WnyF5dfR084QH966s324XgjXktxVXXaqe7xtf3d5
bTukJXDoo<font%20size=50>DEFACED<!--//-- :
MyWebServer 1.0.2 is vulnerable to HTML
injection. Upgrade to a later version.
CVE-2002-1453
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
9:20 a.m.
[
https://issues.jboss.org/browse/AS7-4929?page=com.atlassian.jira.plugin.s...
]
Carlos Oliva commented on AS7-4929:
-----------------------------------
Is that the problem? Long story short: It should have been protected.
JBoss7 Fails ASV Scan Report Attestation of Scan Compliance
-----------------------------------------------------------
Key: AS7-4929
URL: https://issues.jboss.org/browse/AS7-4929
Project: Application Server 7
Issue Type: Quality Risk
Affects Versions: 7.0.2.Final
Environment: Centos
Reporter: Carlos Oliva
Labels: jboss
ASV Scan Report Attestation of Scan Compliance. Vulnerabilities Noted for each IP
Address
https (tcp/443)
GET
/LETtoaCuluFoy4DePCwPLiT0HI1s36zHz9s712uSci
4zxnjnmPAmXpdcnGMYmVwDfBGtXI6zXgIJ1YC8lqJ0T
YlUP8hajSNTWZJH7RUk1K6JHLGgGnDaMfSojaxweHvj
cnRe3KKTJ8miLU3U3XnS4KZ4bihRqT2rIkowzQJHSk9
VbbQ26pdrzLoImGB4v9lqUFyewXsahnz55dwjEDBNRE
ZEbS7b67a<font%20size=50>DEFACED<!--//-- :
MyWebServer 1.0.2 is vulnerable to HTML
injection. Upgrade to a later version.
CVE-2002-1453
Medium 4.3 Fail
http (tcp/80)
GET
/LNSAZoL2iuV3PmcrZl0W5YhMwILOBPbZwzEHVi5QAM
dlOJcFL6Y0Ihv21bU7R3461Q80T3CFq9WqFvx3lfcgs
MIZ4MDac8YVcxkBralskmulwlrf5JnvLuewKZ402AkB
LBIK0CZY7ajOn7U9xzZ0LAgwAzrUaw9UViczNtTyvEK
hm7WnyF5dfR084QH966s324XgjXktxVXXaqe7xtf3d5
bTukJXDoo<font%20size=50>DEFACED<!--//-- :
MyWebServer 1.0.2 is vulnerable to HTML
injection. Upgrade to a later version.
CVE-2002-1453
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
9:46 a.m.
[
https://issues.jboss.org/browse/AS7-4929?page=com.atlassian.jira.plugin.s...
]
Darran Lofthouse commented on AS7-4929:
---------------------------------------
I would suggest if you detect a possible vulnerability in your own site that you should
refrain from publicly posting the URL to that site along with any report of the
vulnerability.
Do you have the details of the full request that is sent to trigger this? Trying the URL
in your original comment does not result in an error page with the word DEFACED
highlighted however any escaping my have been lost in the conversion to Jira - ideally
attach a text file containing the full request that is reported to reproduce this.
JBoss7 Fails ASV Scan Report Attestation of Scan Compliance
-----------------------------------------------------------
Key: AS7-4929
URL: https://issues.jboss.org/browse/AS7-4929
Project: Application Server 7
Issue Type: Quality Risk
Affects Versions: 7.0.2.Final
Environment: Centos
Reporter: Carlos Oliva
Labels: jboss
ASV Scan Report Attestation of Scan Compliance. Vulnerabilities Noted for each IP
Address
https (tcp/443)
GET
/LETtoaCuluFoy4DePCwPLiT0HI1s36zHz9s712uSci
4zxnjnmPAmXpdcnGMYmVwDfBGtXI6zXgIJ1YC8lqJ0T
YlUP8hajSNTWZJH7RUk1K6JHLGgGnDaMfSojaxweHvj
cnRe3KKTJ8miLU3U3XnS4KZ4bihRqT2rIkowzQJHSk9
VbbQ26pdrzLoImGB4v9lqUFyewXsahnz55dwjEDBNRE
ZEbS7b67a<font%20size=50>DEFACED<!--//-- :
MyWebServer 1.0.2 is vulnerable to HTML
injection. Upgrade to a later version.
CVE-2002-1453
Medium 4.3 Fail
http (tcp/80)
GET
/LNSAZoL2iuV3PmcrZl0W5YhMwILOBPbZwzEHVi5QAM
dlOJcFL6Y0Ihv21bU7R3461Q80T3CFq9WqFvx3lfcgs
MIZ4MDac8YVcxkBralskmulwlrf5JnvLuewKZ402AkB
LBIK0CZY7ajOn7U9xzZ0LAgwAzrUaw9UViczNtTyvEK
hm7WnyF5dfR084QH966s324XgjXktxVXXaqe7xtf3d5
bTukJXDoo<font%20size=50>DEFACED<!--//-- :
MyWebServer 1.0.2 is vulnerable to HTML
injection. Upgrade to a later version.
CVE-2002-1453
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
10:08 a.m.
[
https://issues.jboss.org/browse/AS7-4929?page=com.atlassian.jira.plugin.s...
]
Carlos Oliva commented on AS7-4929:
-----------------------------------
I will abide by your suggestion.
The text in JIRA is the same that we have in the vulnerability report. We have a pdf
report tha I can make available to you. Can I email it to you?
I looked for an upload button to no avail.
JBoss7 Fails ASV Scan Report Attestation of Scan Compliance
-----------------------------------------------------------
Key: AS7-4929
URL: https://issues.jboss.org/browse/AS7-4929
Project: Application Server 7
Issue Type: Quality Risk
Affects Versions: 7.0.2.Final
Environment: Centos
Reporter: Carlos Oliva
Labels: jboss
ASV Scan Report Attestation of Scan Compliance. Vulnerabilities Noted for each IP
Address
https (tcp/443)
GET
/LETtoaCuluFoy4DePCwPLiT0HI1s36zHz9s712uSci
4zxnjnmPAmXpdcnGMYmVwDfBGtXI6zXgIJ1YC8lqJ0T
YlUP8hajSNTWZJH7RUk1K6JHLGgGnDaMfSojaxweHvj
cnRe3KKTJ8miLU3U3XnS4KZ4bihRqT2rIkowzQJHSk9
VbbQ26pdrzLoImGB4v9lqUFyewXsahnz55dwjEDBNRE
ZEbS7b67a<font%20size=50>DEFACED<!--//-- :
MyWebServer 1.0.2 is vulnerable to HTML
injection. Upgrade to a later version.
CVE-2002-1453
Medium 4.3 Fail
http (tcp/80)
GET
/LNSAZoL2iuV3PmcrZl0W5YhMwILOBPbZwzEHVi5QAM
dlOJcFL6Y0Ihv21bU7R3461Q80T3CFq9WqFvx3lfcgs
MIZ4MDac8YVcxkBralskmulwlrf5JnvLuewKZ402AkB
LBIK0CZY7ajOn7U9xzZ0LAgwAzrUaw9UViczNtTyvEK
hm7WnyF5dfR084QH966s324XgjXktxVXXaqe7xtf3d5
bTukJXDoo<font%20size=50>DEFACED<!--//-- :
MyWebServer 1.0.2 is vulnerable to HTML
injection. Upgrade to a later version.
CVE-2002-1453
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
10:10 a.m.
[
https://issues.jboss.org/browse/AS7-4929?page=com.atlassian.jira.plugin.s...
]
Carlos Oliva updated AS7-4929:
------------------------------
Attachment: Scan Failure report.pdf
ASV Scan Report Attestation of Scan Compliance
JBoss7 Fails ASV Scan Report Attestation of Scan Compliance
-----------------------------------------------------------
Key: AS7-4929
URL: https://issues.jboss.org/browse/AS7-4929
Project: Application Server 7
Issue Type: Quality Risk
Affects Versions: 7.0.2.Final
Environment: Centos
Reporter: Carlos Oliva
Labels: jboss
Attachments: Scan Failure report.pdf
ASV Scan Report Attestation of Scan Compliance. Vulnerabilities Noted for each IP
Address
https (tcp/443)
GET
/LETtoaCuluFoy4DePCwPLiT0HI1s36zHz9s712uSci
4zxnjnmPAmXpdcnGMYmVwDfBGtXI6zXgIJ1YC8lqJ0T
YlUP8hajSNTWZJH7RUk1K6JHLGgGnDaMfSojaxweHvj
cnRe3KKTJ8miLU3U3XnS4KZ4bihRqT2rIkowzQJHSk9
VbbQ26pdrzLoImGB4v9lqUFyewXsahnz55dwjEDBNRE
ZEbS7b67a<font%20size=50>DEFACED<!--//-- :
MyWebServer 1.0.2 is vulnerable to HTML
injection. Upgrade to a later version.
CVE-2002-1453
Medium 4.3 Fail
http (tcp/80)
GET
/LNSAZoL2iuV3PmcrZl0W5YhMwILOBPbZwzEHVi5QAM
dlOJcFL6Y0Ihv21bU7R3461Q80T3CFq9WqFvx3lfcgs
MIZ4MDac8YVcxkBralskmulwlrf5JnvLuewKZ402AkB
LBIK0CZY7ajOn7U9xzZ0LAgwAzrUaw9UViczNtTyvEK
hm7WnyF5dfR084QH966s324XgjXktxVXXaqe7xtf3d5
bTukJXDoo<font%20size=50>DEFACED<!--//-- :
MyWebServer 1.0.2 is vulnerable to HTML
injection. Upgrade to a later version.
CVE-2002-1453
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
10:10 a.m.
[
https://issues.jboss.org/browse/AS7-4929?page=com.atlassian.jira.plugin.s...
]
Darran Lofthouse commented on AS7-4929:
---------------------------------------
Under 'More Actions' after dropping it down there should be an 'Attach
Files' option.
JBoss7 Fails ASV Scan Report Attestation of Scan Compliance
-----------------------------------------------------------
Key: AS7-4929
URL: https://issues.jboss.org/browse/AS7-4929
Project: Application Server 7
Issue Type: Quality Risk
Affects Versions: 7.0.2.Final
Environment: Centos
Reporter: Carlos Oliva
Labels: jboss
Attachments: Scan Failure report.pdf
ASV Scan Report Attestation of Scan Compliance. Vulnerabilities Noted for each IP
Address
https (tcp/443)
GET
/LETtoaCuluFoy4DePCwPLiT0HI1s36zHz9s712uSci
4zxnjnmPAmXpdcnGMYmVwDfBGtXI6zXgIJ1YC8lqJ0T
YlUP8hajSNTWZJH7RUk1K6JHLGgGnDaMfSojaxweHvj
cnRe3KKTJ8miLU3U3XnS4KZ4bihRqT2rIkowzQJHSk9
VbbQ26pdrzLoImGB4v9lqUFyewXsahnz55dwjEDBNRE
ZEbS7b67a<font%20size=50>DEFACED<!--//-- :
MyWebServer 1.0.2 is vulnerable to HTML
injection. Upgrade to a later version.
CVE-2002-1453
Medium 4.3 Fail
http (tcp/80)
GET
/LNSAZoL2iuV3PmcrZl0W5YhMwILOBPbZwzEHVi5QAM
dlOJcFL6Y0Ihv21bU7R3461Q80T3CFq9WqFvx3lfcgs
MIZ4MDac8YVcxkBralskmulwlrf5JnvLuewKZ402AkB
LBIK0CZY7ajOn7U9xzZ0LAgwAzrUaw9UViczNtTyvEK
hm7WnyF5dfR084QH966s324XgjXktxVXXaqe7xtf3d5
bTukJXDoo<font%20size=50>DEFACED<!--//-- :
MyWebServer 1.0.2 is vulnerable to HTML
injection. Upgrade to a later version.
CVE-2002-1453
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
10:10 a.m.
[
https://issues.jboss.org/browse/AS7-4929?page=com.atlassian.jira.plugin.s...
]
Carlos Oliva commented on AS7-4929:
-----------------------------------
I attached the pdf file. I hope that you can see it.
JBoss7 Fails ASV Scan Report Attestation of Scan Compliance
-----------------------------------------------------------
Key: AS7-4929
URL: https://issues.jboss.org/browse/AS7-4929
Project: Application Server 7
Issue Type: Quality Risk
Affects Versions: 7.0.2.Final
Environment: Centos
Reporter: Carlos Oliva
Labels: jboss
Attachments: Scan Failure report.pdf
ASV Scan Report Attestation of Scan Compliance. Vulnerabilities Noted for each IP
Address
https (tcp/443)
GET
/LETtoaCuluFoy4DePCwPLiT0HI1s36zHz9s712uSci
4zxnjnmPAmXpdcnGMYmVwDfBGtXI6zXgIJ1YC8lqJ0T
YlUP8hajSNTWZJH7RUk1K6JHLGgGnDaMfSojaxweHvj
cnRe3KKTJ8miLU3U3XnS4KZ4bihRqT2rIkowzQJHSk9
VbbQ26pdrzLoImGB4v9lqUFyewXsahnz55dwjEDBNRE
ZEbS7b67a<font%20size=50>DEFACED<!--//-- :
MyWebServer 1.0.2 is vulnerable to HTML
injection. Upgrade to a later version.
CVE-2002-1453
Medium 4.3 Fail
http (tcp/80)
GET
/LNSAZoL2iuV3PmcrZl0W5YhMwILOBPbZwzEHVi5QAM
dlOJcFL6Y0Ihv21bU7R3461Q80T3CFq9WqFvx3lfcgs
MIZ4MDac8YVcxkBralskmulwlrf5JnvLuewKZ402AkB
LBIK0CZY7ajOn7U9xzZ0LAgwAzrUaw9UViczNtTyvEK
hm7WnyF5dfR084QH966s324XgjXktxVXXaqe7xtf3d5
bTukJXDoo<font%20size=50>DEFACED<!--//-- :
MyWebServer 1.0.2 is vulnerable to HTML
injection. Upgrade to a later version.
CVE-2002-1453
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
10:18 a.m.
[
https://issues.jboss.org/browse/AS7-4929?page=com.atlassian.jira.plugin.s...
]
Carlos Oliva commented on AS7-4929:
-----------------------------------
There should be a file available for you now. It has the details of the test; including
the GET request.
JBoss7 Fails ASV Scan Report Attestation of Scan Compliance
-----------------------------------------------------------
Key: AS7-4929
URL: https://issues.jboss.org/browse/AS7-4929
Project: Application Server 7
Issue Type: Quality Risk
Affects Versions: 7.0.2.Final
Environment: Centos
Reporter: Carlos Oliva
Labels: jboss
Attachments: Scan Failure report.pdf
ASV Scan Report Attestation of Scan Compliance. Vulnerabilities Noted for each IP
Address
https (tcp/443)
GET
/LETtoaCuluFoy4DePCwPLiT0HI1s36zHz9s712uSci
4zxnjnmPAmXpdcnGMYmVwDfBGtXI6zXgIJ1YC8lqJ0T
YlUP8hajSNTWZJH7RUk1K6JHLGgGnDaMfSojaxweHvj
cnRe3KKTJ8miLU3U3XnS4KZ4bihRqT2rIkowzQJHSk9
VbbQ26pdrzLoImGB4v9lqUFyewXsahnz55dwjEDBNRE
ZEbS7b67a<font%20size=50>DEFACED<!--//-- :
MyWebServer 1.0.2 is vulnerable to HTML
injection. Upgrade to a later version.
CVE-2002-1453
Medium 4.3 Fail
http (tcp/80)
GET
/LNSAZoL2iuV3PmcrZl0W5YhMwILOBPbZwzEHVi5QAM
dlOJcFL6Y0Ihv21bU7R3461Q80T3CFq9WqFvx3lfcgs
MIZ4MDac8YVcxkBralskmulwlrf5JnvLuewKZ402AkB
LBIK0CZY7ajOn7U9xzZ0LAgwAzrUaw9UViczNtTyvEK
hm7WnyF5dfR084QH966s324XgjXktxVXXaqe7xtf3d5
bTukJXDoo<font%20size=50>DEFACED<!--//-- :
MyWebServer 1.0.2 is vulnerable to HTML
injection. Upgrade to a later version.
CVE-2002-1453
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
10:22 a.m.
[
https://issues.jboss.org/browse/AS7-4929?page=com.atlassian.jira.plugin.s...
]
Darran Lofthouse commented on AS7-4929:
---------------------------------------
Thanks for the attachment - I still can not reproduce anything here.
Do you have support for the tool you are using? I think really you are going to need to
follow up with the supplier of the scanning utility to verify exactly how it is
identifying the failure.
The report itself is actually for a specific web server which is not JBoss AS - when I
test this myself the contents of the URL are appropriately escaped in the error message so
the do not form any type of HTML injection into the error message which is displayed.
JBoss7 Fails ASV Scan Report Attestation of Scan Compliance
-----------------------------------------------------------
Key: AS7-4929
URL: https://issues.jboss.org/browse/AS7-4929
Project: Application Server 7
Issue Type: Quality Risk
Affects Versions: 7.0.2.Final
Environment: Centos
Reporter: Carlos Oliva
Labels: jboss
Attachments: Scan Failure report.pdf
ASV Scan Report Attestation of Scan Compliance. Vulnerabilities Noted for each IP
Address
https (tcp/443)
GET
/LETtoaCuluFoy4DePCwPLiT0HI1s36zHz9s712uSci
4zxnjnmPAmXpdcnGMYmVwDfBGtXI6zXgIJ1YC8lqJ0T
YlUP8hajSNTWZJH7RUk1K6JHLGgGnDaMfSojaxweHvj
cnRe3KKTJ8miLU3U3XnS4KZ4bihRqT2rIkowzQJHSk9
VbbQ26pdrzLoImGB4v9lqUFyewXsahnz55dwjEDBNRE
ZEbS7b67a<font%20size=50>DEFACED<!--//-- :
MyWebServer 1.0.2 is vulnerable to HTML
injection. Upgrade to a later version.
CVE-2002-1453
Medium 4.3 Fail
http (tcp/80)
GET
/LNSAZoL2iuV3PmcrZl0W5YhMwILOBPbZwzEHVi5QAM
dlOJcFL6Y0Ihv21bU7R3461Q80T3CFq9WqFvx3lfcgs
MIZ4MDac8YVcxkBralskmulwlrf5JnvLuewKZ402AkB
LBIK0CZY7ajOn7U9xzZ0LAgwAzrUaw9UViczNtTyvEK
hm7WnyF5dfR084QH966s324XgjXktxVXXaqe7xtf3d5
bTukJXDoo<font%20size=50>DEFACED<!--//-- :
MyWebServer 1.0.2 is vulnerable to HTML
injection. Upgrade to a later version.
CVE-2002-1453
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
10:44 a.m.
[
https://issues.jboss.org/browse/AS7-4929?page=com.atlassian.jira.plugin.s...
]
Carlos Oliva commented on AS7-4929:
-----------------------------------
My Systems Administrator is going to get in touch wiht the makers of the tool. I will
post here what they tell us. We appreciate your help.
Could this just be a "false positive"?
JBoss7 Fails ASV Scan Report Attestation of Scan Compliance
-----------------------------------------------------------
Key: AS7-4929
URL: https://issues.jboss.org/browse/AS7-4929
Project: Application Server 7
Issue Type: Quality Risk
Affects Versions: 7.0.2.Final
Environment: Centos
Reporter: Carlos Oliva
Labels: jboss
Attachments: Scan Failure report.pdf
ASV Scan Report Attestation of Scan Compliance. Vulnerabilities Noted for each IP
Address
https (tcp/443)
GET
/LETtoaCuluFoy4DePCwPLiT0HI1s36zHz9s712uSci
4zxnjnmPAmXpdcnGMYmVwDfBGtXI6zXgIJ1YC8lqJ0T
YlUP8hajSNTWZJH7RUk1K6JHLGgGnDaMfSojaxweHvj
cnRe3KKTJ8miLU3U3XnS4KZ4bihRqT2rIkowzQJHSk9
VbbQ26pdrzLoImGB4v9lqUFyewXsahnz55dwjEDBNRE
ZEbS7b67a<font%20size=50>DEFACED<!--//-- :
MyWebServer 1.0.2 is vulnerable to HTML
injection. Upgrade to a later version.
CVE-2002-1453
Medium 4.3 Fail
http (tcp/80)
GET
/LNSAZoL2iuV3PmcrZl0W5YhMwILOBPbZwzEHVi5QAM
dlOJcFL6Y0Ihv21bU7R3461Q80T3CFq9WqFvx3lfcgs
MIZ4MDac8YVcxkBralskmulwlrf5JnvLuewKZ402AkB
LBIK0CZY7ajOn7U9xzZ0LAgwAzrUaw9UViczNtTyvEK
hm7WnyF5dfR084QH966s324XgjXktxVXXaqe7xtf3d5
bTukJXDoo<font%20size=50>DEFACED<!--//-- :
MyWebServer 1.0.2 is vulnerable to HTML
injection. Upgrade to a later version.
CVE-2002-1453
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
10:48 a.m.
[
https://issues.jboss.org/browse/AS7-4929?page=com.atlassian.jira.plugin.s...
]
Darran Lofthouse commented on AS7-4929:
---------------------------------------
At the moment from the information I have this does sound like it could be a false
positive - however verification with the maker of the tool will help confirming one way or
the other.
JBoss7 Fails ASV Scan Report Attestation of Scan Compliance
-----------------------------------------------------------
Key: AS7-4929
URL: https://issues.jboss.org/browse/AS7-4929
Project: Application Server 7
Issue Type: Quality Risk
Affects Versions: 7.0.2.Final
Environment: Centos
Reporter: Carlos Oliva
Labels: jboss
Attachments: Scan Failure report.pdf
ASV Scan Report Attestation of Scan Compliance. Vulnerabilities Noted for each IP
Address
https (tcp/443)
GET
/LETtoaCuluFoy4DePCwPLiT0HI1s36zHz9s712uSci
4zxnjnmPAmXpdcnGMYmVwDfBGtXI6zXgIJ1YC8lqJ0T
YlUP8hajSNTWZJH7RUk1K6JHLGgGnDaMfSojaxweHvj
cnRe3KKTJ8miLU3U3XnS4KZ4bihRqT2rIkowzQJHSk9
VbbQ26pdrzLoImGB4v9lqUFyewXsahnz55dwjEDBNRE
ZEbS7b67a<font%20size=50>DEFACED<!--//-- :
MyWebServer 1.0.2 is vulnerable to HTML
injection. Upgrade to a later version.
CVE-2002-1453
Medium 4.3 Fail
http (tcp/80)
GET
/LNSAZoL2iuV3PmcrZl0W5YhMwILOBPbZwzEHVi5QAM
dlOJcFL6Y0Ihv21bU7R3461Q80T3CFq9WqFvx3lfcgs
MIZ4MDac8YVcxkBralskmulwlrf5JnvLuewKZ402AkB
LBIK0CZY7ajOn7U9xzZ0LAgwAzrUaw9UViczNtTyvEK
hm7WnyF5dfR084QH966s324XgjXktxVXXaqe7xtf3d5
bTukJXDoo<font%20size=50>DEFACED<!--//-- :
MyWebServer 1.0.2 is vulnerable to HTML
injection. Upgrade to a later version.
CVE-2002-1453
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
1:52 a.m.
[
https://issues.jboss.org/browse/AS7-4929?page=com.atlassian.jira.plugin.s...
]
David Jorm resolved AS7-4929.
-----------------------------
Resolution: Rejected
This issue appears to be in the deployed application, not in AS7 itself.
JBoss7 Fails ASV Scan Report Attestation of Scan Compliance
-----------------------------------------------------------
Key: AS7-4929
URL: https://issues.jboss.org/browse/AS7-4929
Project: Application Server 7
Issue Type: Quality Risk
Affects Versions: 7.0.2.Final
Environment: Centos
Reporter: Carlos Oliva
Labels: jboss
Attachments: Scan Failure report.pdf
ASV Scan Report Attestation of Scan Compliance. Vulnerabilities Noted for each IP
Address
https (tcp/443)
GET
/LETtoaCuluFoy4DePCwPLiT0HI1s36zHz9s712uSci
4zxnjnmPAmXpdcnGMYmVwDfBGtXI6zXgIJ1YC8lqJ0T
YlUP8hajSNTWZJH7RUk1K6JHLGgGnDaMfSojaxweHvj
cnRe3KKTJ8miLU3U3XnS4KZ4bihRqT2rIkowzQJHSk9
VbbQ26pdrzLoImGB4v9lqUFyewXsahnz55dwjEDBNRE
ZEbS7b67a<font%20size=50>DEFACED<!--//-- :
MyWebServer 1.0.2 is vulnerable to HTML
injection. Upgrade to a later version.
CVE-2002-1453
Medium 4.3 Fail
http (tcp/80)
GET
/LNSAZoL2iuV3PmcrZl0W5YhMwILOBPbZwzEHVi5QAM
dlOJcFL6Y0Ihv21bU7R3461Q80T3CFq9WqFvx3lfcgs
MIZ4MDac8YVcxkBralskmulwlrf5JnvLuewKZ402AkB
LBIK0CZY7ajOn7U9xzZ0LAgwAzrUaw9UViczNtTyvEK
hm7WnyF5dfR084QH966s324XgjXktxVXXaqe7xtf3d5
bTukJXDoo<font%20size=50>DEFACED<!--//-- :
MyWebServer 1.0.2 is vulnerable to HTML
injection. Upgrade to a later version.
CVE-2002-1453
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
4410
days inactive
4544
days old
15 comments
4 participants
participants (4)
-
Carlos Oliva (JIRA) -
Darran Lofthouse (JIRA)
-
David Jorm (JIRA)
-
Radoslav Husar (JIRA)