Return-Path: X-Original-To: apmail-portals-jetspeed-user-archive@www.apache.org Delivered-To: apmail-portals-jetspeed-user-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 240DE187F3 for ; Thu, 3 Mar 2016 21:16:10 +0000 (UTC) Received: (qmail 72385 invoked by uid 500); 3 Mar 2016 21:16:10 -0000 Delivered-To: apmail-portals-jetspeed-user-archive@portals.apache.org Received: (qmail 72350 invoked by uid 500); 3 Mar 2016 21:16:10 -0000 Mailing-List: contact jetspeed-user-help@portals.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Jetspeed Users List" Delivered-To: mailing list jetspeed-user@portals.apache.org Received: (qmail 72337 invoked by uid 99); 3 Mar 2016 21:16:09 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd4-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 03 Mar 2016 21:16:09 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id 46592C06C5 for ; Thu, 3 Mar 2016 21:16:09 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 1.299 X-Spam-Level: * X-Spam-Status: No, score=1.299 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=2, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001] autolearn=disabled Authentication-Results: spamd4-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=bluesunrise-com.20150623.gappssmtp.com Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024) with ESMTP id hVWNI1aiGBbk for ; Thu, 3 Mar 2016 21:16:08 +0000 (UTC) Received: from mail-pf0-f175.google.com (mail-pf0-f175.google.com [209.85.192.175]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id 2F18D5F3F1 for ; Thu, 3 Mar 2016 21:16:07 +0000 (UTC) Received: by mail-pf0-f175.google.com with SMTP id w128so21951108pfb.2 for ; Thu, 03 Mar 2016 13:16:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bluesunrise-com.20150623.gappssmtp.com; s=20150623; h=from:subject:message-id:date:to:mime-version; bh=yt8XoTIwxUrTHlmdAGWYul93oaPls4yVLyjOwmrytUg=; b=s8DP3VYLTN1B+KYJUmxWLZFwEsUHYsL/25o/f+ae4YUp/2sTIRjDt3SVL/1mUrkjZw qa2Kb8jA8Zb0fswMG2KkOFnbQwlonmTgZp02soFX6+FK4/jSv9NuyGY/CnrpNH8NUtvs F3zlKfjIYr8nIPp4UDOxp/LOFTnfTWB9bAsq0bmotq+qvvE2R5GSt0yFEqv41zGcx8uQ 3F9BNvrfmkUdM4eWzI/QbHBaOeLAbFiWsybqUT6ZchofvB0IxT75kYtpnAd7oCmsvFhK v5fkUh8IvNAePP1yy1E8LZKyzp+9mNlWU1TZPgocmJC6QCitn7wlTvlYzFjNQAFN3tOg FBPg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:subject:message-id:date:to:mime-version; bh=yt8XoTIwxUrTHlmdAGWYul93oaPls4yVLyjOwmrytUg=; b=aYrAwbsd3XyCXk2LGdYAz6jMxXkjW5NlIDAei7mcqicuQ3Bh2wwgua4+2gKSnBCZGE 8qdG+E9kJ2GCrs44CZKAwtieXB1vjvDMfdkOT4r4iiMGbDDtPGItViaMSTzBtFK9bVvV 8psenmI0VqWYbR2+6hlypx84MMHsF6vHZBoIBJKpEPfl6eSiagv2iCJIF+OTcFeCF8nH Es385XOXQpL1/VPmd8gUsHU6n0O1Q8IAZEQoXP8dmCoPjtZyXekP7rF9YQ5JvyJ9Zm3F No558RJ7FwcSsUPK6IAySGDiCRcAVoT4V1c05h2R12A49PfqZqvFS97pZQCA4BQ4IXcr h70g== X-Gm-Message-State: AD7BkJLtAy5iNXJgkojUCz/gX245L50uV3pYeyKRW+NdeaC842S3tJUwhf3XbSoS96dd9g== X-Received: by 10.98.9.219 with SMTP id 88mr6988599pfj.0.1457039765939; Thu, 03 Mar 2016 13:16:05 -0800 (PST) Received: from ?IPv6:2601:643:c002:8900:4470:923b:e40b:d6b6? ([2601:643:c002:8900:4470:923b:e40b:d6b6]) by smtp.gmail.com with ESMTPSA id 81sm298818pfa.12.2016.03.03.13.16.05 for (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 03 Mar 2016 13:16:05 -0800 (PST) From: David S Taylor Content-Type: multipart/alternative; boundary="Apple-Mail=_388E37E2-7216-4D08-A1A7-166800E20903" Subject: [CVE-2016-0710] Apache Jetspeed information disclosure vulnerability Message-Id: <046318A1-226E-453F-9394-B84F1A33E6A4@bluesunrise.com> Date: Thu, 3 Mar 2016 13:16:30 -0800 To: Jetspeed Users List Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\)) X-Mailer: Apple Mail (2.3112) --Apple-Mail=_388E37E2-7216-4D08-A1A7-166800E20903 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 CVE-2016-0710: SQL injection in User Manager service Severity: Important Vendor: The Apache Software Foundation Versions Affected: Jetspeed 2.3.0 Description: The Jetspeed User Manager service, part of the Jetspeed Administrative = Portlets, is vulnerable to SQL injection. When performing a search in = these tools, the 'user' and 'role' parameters of the request can be = injected to alter the logic of the subsequent SQL statement.=20 There is also an authorization flaw at play here since the above URLs = can be reached without being authenticated in Jetspeed. Mitigation: 2.3.0 users should upgrade to 2.3.1 Example: Given this URL: = http://192.168.2.4:8080/jetspeed/services/usermanager/users/?_type=3Djson&= results=3D10&start=3D0&sort=3DuserName&dir=3Dasc&name=3D&roles=3Dfoo%27%20= =20 The 'role' parameter contains the value "foo" which is not an existing = role, but because of the injected SQL code (or '1'=3D'1') the statement = returns true anyway and all the existing users are shown. Credit: This issue was discovered by =EF=BB=BFAndreas Lindh References: http://tomcat.apache.org/security.html = --Apple-Mail=_388E37E2-7216-4D08-A1A7-166800E20903--