[jboss-jira] [JBoss JIRA] Created: (JBPORTAL-2477) eXoGadgetServer/gadgets/proxy Provides Access to protected network resources

Ian De Villiers (JIRA) jira-events at lists.jboss.org
Fri May 14 03:31:26 EDT 2010 

eXoGadgetServer/gadgets/proxy Provides Access to protected network resources
----------------------------------------------------------------------------

                 Key: JBPORTAL-2477
                 URL: https://jira.jboss.org/jira/browse/JBPORTAL-2477
             Project: JBoss Portal
          Issue Type: Bug
      Security Level: Public (Everyone can see)
          Components: Portal Security
    Affects Versions: 3.0 Final
         Environment: Tested on a number of different platforms
            Reporter: Ian De Villiers
             Fix For: 3.0 Final


As per e-mail originally detailing issues with GateIn3.0.0-Beta2 sent to Thomas Heute on 16th November, 2009.

When gadgets are added to the dashboard, the /eXoGadgetServer/gadgets/proxy component loads resources such as images from the portal server using the url specified by the url parameter.

However, no validation checking is performed on the URL field, making it possible to access resources on alternate HTTP ports or alternate servers.

Numerous similar issues exist within other portal applications.  BEA Weblogics (now Oracle) and Vignette Portal have also been found to be vulnerable to similar issues in the past.

However, in the case of these portal systems, these requests are only allowed to be made to hosts defined within the same scope as the originating server.  Additionally (although this is configurable), the majority of these portlets can only be exploited by authenticated users.

In the case of GateIn Portal, an unauthenticated user can make a request to any third-party system (or port) by tampering with the url parameter.

This may result in an attacker initiating attacks against third-party systems, or accessing resources which would otherwise be protected.

For example, assuming the GateIn Portal is exposed to the Internet.  The J2EE application server has been configured to serve portal content on port 80, and the J2EE administrative components are only available on port 8080.  Inbound traffic desitned to port 8080 from the Internet is restricted by the firewall.

An attacker would be able to access the J2EE administrative components by requesting the following URL:

http://VulnerableHost:80/eXoGadgetServer/gadgets/proxy?url=http%3A%2F%2F127.0.0.1%3A8080%2Fmanager%2f&gadget=http%3A%2F%2FVulnerableHost%3A80%2Frest%2Fjcr%2Frepository%2Fgadgets%2FCalculator%2FCalculator.xml&fp=-182800334&refresh=86400

I've been researching these specific vulnerabilities in portal environments for a while now, and have authored a toolset specifically designed at exploiting these vulnerabilities in order to gain access to protected network resources.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list