Two Vulnerabilities in OpenWFE Web Client

2004-10-26T00:00:00
ID SECURITYVULNS:DOC:7070
Type securityvulns
Reporter Securityvulns
Modified 2004-10-26T00:00:00

Description


          Two Vulnerabilities in OpenWFE

Author: Jose Antonio Coret (Joxean Koret) Date: 2004
Location: Basque Country


Affected software description: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

OpenWFE - Open WorkFlow Engine v1.4.x

OpenWFE is an open source java workflow engine. It is a complete Business
Process Management suite, with 4 components : an engine, a worklist, a
webclient and a reactor (host for automatic agents). It can also be used
behind the scene.

Web : http://www.openwfe.org


Vulnerabilities: ~~~~~~~~~~~~~~~~

A. Cross Site Scripting Vulnerability in the 'Login Form' of the Web Client.

A1. In the login form of the Web Client you has 3 fields :

    1.- The URL of the RMI Remote Service 
    2.- The username 
    3.- The Password

Well, the URL field is vulnerable to an XSS attack due to no input validation.
To test the problem follow these steps :

    1.- Go to any site that have the OpenWFE

webclient 2.- In the Worklist URL field insert, in example, the following data :

rmi://localhost:7080/workSessionServer"><script>alert(document.cookie)</script>

    or this

    rmi://&lt;h1&gt;hi&lt;/h1&gt;:7099/workSessionServer

    3.- Enter any username and password, and

press the button to login.

B. Possible Port Scanner

B1. The field worklist URL is like this ->

    rmi://&lt;hostname&gt;:&lt;port&gt;/location

Due to the Worklist URL parameter's nature is possible to create a simple port/host
scanner from the perspective of the OpenWFE host.

Example :

    Query -&gt; rmi://server/workSessionServer 
    Response Time -&gt; 1 second 
    Response -&gt; Error :

java.rmi.UnknownHostException: Unknown host

    Query -&gt;

rmi://localhost:709/workSessionServer Response Time -> 1 second Response -> Error : java.rmi.ConnectException: Connection refused to host

    Query -&gt;

rmi://localhost:7085/workSessionServer Response Time -> 5 seconds Response -> Error : java.rmi.ConnectIOException: error during JRMP connection establishment

    Query -&gt;

rmi://drill.hackerslab.org:23/workSessionServer Response Time -> Greater that 5 seconds Response ->
Error : java.rmi.ConnectIOException: non-JRMP server at remote endpoint

    Query -&gt; rmi://192.168.1.2/workSessionServer 
    Response Time -&gt; Greater than 30 seconds 
    Response -&gt; No response, no timeout

Depending on the Response Time and the Response is quite easy to create a simple
port/host scanner.

The fix: ~~~~~~~~

The problems has been fixed in the latest release of the OpenWFE's web client. Go to http://www.openwfe.org for more information about the patch.

Disclaimer: ~~~~~~~~~~~

The information in this advisory and any of its demonstrations is provided "as is" without any warranty of any kind.

I am not liable for any direct or indirect damages caused as a result of using the information or demonstrations provided in any part of this advisory.


Contact: ~~~~~~~~

Joxean Koret at joxeanpiti<<<<<<<<@>>>>>>>>yah00<<<<<<dot>>>>>es