eXoGadgetServer/gadgets/proxy Provides Access to protected network resources
----------------------------------------------------------------------------
Key: JBPORTAL-2477
URL:
https://jira.jboss.org/jira/browse/JBPORTAL-2477
Project: JBoss Portal
Issue Type: Bug
Security Level: Public (Everyone can see)
Components: Portal Security
Affects Versions: 3.0 Final
Environment: Tested on a number of different platforms
Reporter: Ian De Villiers
Fix For: 3.0 Final
As per e-mail originally detailing issues with GateIn3.0.0-Beta2 sent to Thomas Heute on
16th November, 2009.
When gadgets are added to the dashboard, the /eXoGadgetServer/gadgets/proxy component
loads resources such as images from the portal server using the url specified by the url
parameter.
However, no validation checking is performed on the URL field, making it possible to
access resources on alternate HTTP ports or alternate servers.
Numerous similar issues exist within other portal applications. BEA Weblogics (now
Oracle) and Vignette Portal have also been found to be vulnerable to similar issues in the
past.
However, in the case of these portal systems, these requests are only allowed to be made
to hosts defined within the same scope as the originating server. Additionally (although
this is configurable), the majority of these portlets can only be exploited by
authenticated users.
In the case of GateIn Portal, an unauthenticated user can make a request to any
third-party system (or port) by tampering with the url parameter.
This may result in an attacker initiating attacks against third-party systems, or
accessing resources which would otherwise be protected.
For example, assuming the GateIn Portal is exposed to the Internet. The J2EE application
server has been configured to serve portal content on port 80, and the J2EE administrative
components are only available on port 8080. Inbound traffic desitned to port 8080 from
the Internet is restricted by the firewall.
An attacker would be able to access the J2EE administrative components by requesting the
following URL:
http://VulnerableHost:80/eXoGadgetServer/gadgets/proxy?url=http%3A%2F%2F1...
I've been researching these specific vulnerabilities in portal environments for a
while now, and have authored a toolset specifically designed at exploiting these
vulnerabilities in order to gain access to protected network resources.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira