BugTraq
Jboss vulnerability Feb 20 2007 01:06PM
dexie tsn cc (4 replies)
Re: Jboss vulnerability (AUSCERT#2007d2feb) Feb 20 2007 11:48PM
AusCERT (auscert auscert org au)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Ben, Bugtraq,

For the record, AusCERT is more than happy to assist researchers with
coordinated responsible vulnerability disclosure, in fact, you may remember
us from coordinated vuln disclosures such as:

http://www.auscert.org.au/render.html?it=4091

We are happy to work with researchers and vendors and to keep your details
anonymous if you so wish.

This of course typically relies on you contacting us prior to public
disclosure.

You mention in the below email that:

"auscert (sic) have no vulnerability reporting option"

granted, we have no webform that you can fill out and submit regarding
vulnerabilities (and we have never had a request from a researcher to
implement such a thing).

All the AusCERT contact details are available from:

http://www.auscert.org.au/1922

These options include:

phone, fax, postal mail, email

This page includes a link to our pgp key should you wish to communicate
securely via email.

We will certainly investigate this issue further, and will begin notifying
potentially vulnerable parties exposed to this issue.

Best regards,

MacLeonard

- --
MacLeonard Starkey, Security Analyst | Hotline: +61 7 3365 4417
AusCERT | Fax: +61 7 3365 7031
Australia's National CERT | WWW: www.auscert.org.au
Brisbane QLD Australia | Email: auscert (at) auscert.org (dot) au [email concealed]

> Just fired this off to USCERT, not pretty.
>
> ---------------------------- Original Message ----------------------------
> Subject: jboss vulnerability
> From: dexie (at) tsn (dot) cc [email concealed]
> Date: Tue, February 20, 2007 10:54 pm
> To: "cert (at) cert (dot) org [email concealed]" <cert (at) cert (dot) org [email concealed]>
> Cc: "soc (at) us-cert (dot) gov [email concealed]" <soc (at) us-cert (dot) gov [email concealed]>
> ------------------------------------------------------------------------
--
>
> Hi guys.
>
> I am an IT Security analyst in Canberra, Australia.
>
> I recently encountered an issue with jboss, which led me to do some Google
> enumeration...
>
> http://www.google.com.au/search?q=inurl:inspectMBean
>
> The search will pull up around 41500 results. Click on any of the links
> and you will gain access to the backend app (ie start/stop services,
> modify data,etc). I do not know if this will work in all cases, however I
> would recommend a good deal of caution if you do follow any of the links.
>
> Please let me know if you need any further info - I have nfi who to
> actually contact as auscert has no vulnerability reporting option and this
> is a first for me...
>
>
> Regards,
> Ben Dexter.
> +61 2 6207 0368
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBRduI5Sh9+71yA2DNAQKiNwP/e/EkSLeP4R59Gdvo0j9k0dNCbqPCXpUA
9Jlc4JNAyRM44Y8AWv8Az5L2C1PpPYi8TB/4H//5MKBpG6IQ0IOx7OLqAp61V0i5
ByD7lWHI3GSzuU4X8CJUCwY16N4bMCu/PjgH9dL+mt43bQZ0y5Fr8Ni9DhcdjUbR
1RDccFQXjuY=
=3Rf4
-----END PGP SIGNATURE-----

[ reply ]
Re: Jboss vulnerability Feb 20 2007 11:06PM
Javier Antunez (javier antunez gmail com)
Re: Jboss vulnerability Feb 20 2007 04:40PM
James Davis (jamesd cert ja net)
Re: Jboss vulnerability Feb 20 2007 04:30PM
Harry Hoffman (hhoffman ip-solutions net)


 

Privacy Statement
Copyright 2010, SecurityFocus