portals-jetspeed-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David S Taylor <da...@bluesunrise.com>
Subject [CVE-2016-0710] Apache Jetspeed information disclosure vulnerability
Date Thu, 03 Mar 2016 21:16:30 GMT
CVE-2016-0710: SQL injection in User Manager service

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
Jetspeed 2.3.0

Description:
The Jetspeed User Manager service, part of the Jetspeed Administrative Portlets, is vulnerable
to SQL injection. When performing a search in these tools, the 'user' and 'role' parameters
of the request can be injected to alter the logic of the subsequent SQL statement. 
There is also an authorization flaw at play here since the above URLs can be reached without
being authenticated in Jetspeed.

Mitigation:
2.3.0 users should upgrade to 2.3.1

Example:
Given this URL:
http://192.168.2.4:8080/jetspeed/services/usermanager/users/?_type=json&results=10&start=0&sort=userName&dir=asc&name=&roles=foo%27%20

The 'role' parameter contains the value "foo" which is not an existing role, but because of
the injected SQL code (or '1'='1') the statement returns true anyway and all the existing
users are shown.

Credit:
This issue was discovered by ´╗┐Andreas Lindh

References:
http://tomcat.apache.org/security.html <http://tomcat.apache.org/security.html>






Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message