Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Two Vulnerabilities in OpenWFE Web Client

from [Joxean Koret] Network Security [Permanent Link]
Subject: Two Vulnerabilities in OpenWFE Web Client
Date: 24 Oct 2004 20:00:28 -0000 


--------------------------------------------------------------------------- 
              Two Vulnerabilities in OpenWFE 
--------------------------------------------------------------------------- 
 
Author: Jose Antonio Coret (Joxean Koret) 
Date: 2004  
Location: Basque Country 
 
--------------------------------------------------------------------------- 
 
Affected software description: 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
 
OpenWFE - Open WorkFlow Engine v1.4.x 
 
OpenWFE is an open source java workflow engine. 
It is a complete Business  
Process Management suite, with 4 components : 
an engine, a worklist, a  
webclient and a reactor (host for automatic 
agents). It can also be used  
behind the scene. 
 
Web : http://www.openwfe.org 
 
--------------------------------------------------------------------------- 
 
Vulnerabilities: 
~~~~~~~~~~~~~~~~ 
 
A. Cross Site Scripting Vulnerability in the 'Login 
Form' of the Web Client. 
 
A1. In the login form of the Web Client you has 3 
fields :  
 
        1.- The URL of the RMI Remote Service 
        2.- The username 
        3.- The Password 
         
Well, the URL field is vulnerable to an XSS attack 
due to no input validation.  
To test the problem follow these steps :  
 
        1.- Go to any site that have the OpenWFE 
webclient 
        2.- In the Worklist URL field insert, in example, 
the following data :  
         
        
rmi://localhost:7080/workSessionServer">&lt;script&gt;alert(document.cookie)&lt;/script&gt;
 
 
        or this 
 
        rmi://<h1>hi</h1>:7099/workSessionServer 
 
        3.- Enter any username and password, and 
press the button to login. 
 
B. Possible Port Scanner 
 
B1. The field worklist URL is like this -> 
 
        rmi://<hostname>:<port>/location 
 
Due to the Worklist URL parameter's nature is 
possible to create a simple port/host  
scanner from the perspective of the OpenWFE 
host. 
 
Example :  
 
        Query -> rmi://server/workSessionServer 
        Response Time -> 1 second 
        Response -> Error : 
java.rmi.UnknownHostException: Unknown host 
 
        Query -> 
rmi://localhost:709/workSessionServer 
        Response Time -> 1 second 
        Response -> Error : 
java.rmi.ConnectException: Connection refused to 
        host 
 
        Query -> 
rmi://localhost:7085/workSessionServer 
        Response Time -> 5 seconds 
        Response -> Error : 
java.rmi.ConnectIOException: error during JRMP 
        connection establishment 
 
        Query -> 
rmi://drill.hackerslab.org:23/workSessionServer 
        Response Time -> Greater that 5 seconds 
        Response ->   
        Error : java.rmi.ConnectIOException: non-JRMP 
server at remote endpoint 
 
        Query -> rmi://192.168.1.2/workSessionServer 
        Response Time -> Greater than 30 seconds 
        Response -> No response, no timeout 
 
Depending on the Response Time and the 
Response is quite easy to create a simple  
port/host scanner. 
 
The fix: 
~~~~~~~~ 
 
The problems has been fixed in the latest release 
of the OpenWFE's web client. 
Go to http://www.openwfe.org for more information 
about the patch. 
 
Disclaimer: 
~~~~~~~~~~~ 
 
The information in this advisory and any of its 
demonstrations is provided 
"as is" without any warranty of any kind. 
 
I am not liable for any direct or indirect damages 
caused as a result of 
using the information or demonstrations provided 
in any part of this 
advisory.  
 
--------------------------------------------------------------------------- 
 
Contact: 
~~~~~~~~ 
 
 Joxean Koret at 
joxeanpiti<<<<<<<<@>>>>>>>>yah00<<<<<<dot>>>>>es
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Two Vulnerabilities in OpenWFE Web Client, Joxean Koret <=
Previous by Date:  [Full-Disclosure] Posting w/o checking facts, Harry Hoffman
Next by Date:  [Full-Disclosure] PTms04-030, pigrelax
Previous by Thread:  [Full-Disclosure] Posting w/o checking facts, Harry Hoffman
Next by Thread:  [Full-Disclosure] PTms04-030, pigrelax
Indexes:  [Date] [Thread] [Top] [All Lists]