Digital Photo Art Gallery

Spider web action - catch a black bug 2
fin aca anuncios left sidebar -->
« Error in Google Webmaster Tools
Google Parser Online Tool Upgraded »

JBoss Security vulnerability JMX Management Console

Published October 13th, 2007 in Google Things and Security. Comments

Awesome! A lot of servers have their JBoss Management Console open to the world, without any authentication, no password, no security! A huge and silly vulnerability!

Any remote user can completely control the server, having full control to a lot of server configurations and internal network and infrastructure information disclosure, you can change the web service listening port (I test this with one of them, then I put back the original port), view internal IPs and start connections to a client, a lot of server absolute paths, you can change security configurations… too much power with almost no knowledge needed.

This vulnerable JBoss servers let open access to anybody to jmx-console and web-console, these are the online administration tools of JBoss.

There still are a lot of this kind of silly vulnerabilities in the Internet… theres not a JBoss vulnerability, theres a people vulnerability!

Oh, I almost forgot it… you can find all the vulnerable servers using my online Google Parser tool who I wrote a couple of weeks ago. With it you can get a clean list of all the vulnerable sites searching for:

intitle:”jboss management console” “application server” version inurl:”web-console”

or

intitle:”JBoss Management Console – Server Information” “application server” inurl:”web-console” OR inurl:”jmx-console”

You can try different Google search strings and get a clean list of URLs of the Google search results with my Google Parser online tool.

It’s amazing how developers and network administrators still doesn’t pay real attention to security!

Share and Enjoy:
  • Digg
  • del.icio.us
  • Reddit
  • Slashdot
  • Technorati
  • StumbleUpon
  • MisterWong
  • Facebook
  • Google Bookmarks
  • Twitter

3 Responses to “JBoss Security vulnerability JMX Management Console”

Feed for this Entry Trackback Address
  1. 1 Marco Momsen Mar 1st, 2008 at 5:24 pm

    Here is a How-to on how to leverage this :
    http://www.nruns.com/_downloads/Whitepaper-Hacking-jBoss-using-a-Browser.pdf

  2. 2 goohackle Mar 3rd, 2008 at 1:12 am

    Thanks for sharing it Marco!

    Wow… it’s amazing how still are totally vulnerable servers just waiting for any script kiddie to do whatever he/she wants with they… or someone else with another purposes…

    But still are a lot of people who doesn’t mind about IT security and a lot more who doesn’t really understand what it is… there’s not using SSL and running a couple of automatic vulnerability detection tools and patch the “holes”… it’s a LOT more…

  3. 3 Francis Feb 5th, 2009 at 12:34 pm

    Hi, JBoss is open to the world and nobody take care about this !

Leave a Reply

« Error in Google Webmaster Tools
Google Parser Online Tool Upgraded »

end aca anuncios right sidebar -->

Free traffic to your site
( $20 free in ads! ):


Make money from your site:
goohackle ¤ most popular english words ¤ turning lady ¤ popular english words ¤ who links to me ¤ list of popular countries ¤ google parse ¤ computers internet blog ¤ parse google results ¤ popular countries in the world ¤ most popular countries in the world ¤ most popular countries ¤ lady turning clockwise ¤ google parser ¤ popular english word ¤ online parser ¤ webseo ¤ encrypted lvm ¤ encrypt lvm partition ¤ parse google ¤ most popular english word ¤ lvm encrypted ¤

Categories

Archives


Subscribe