JBoss AS administration consoles versions prior to 1.2 re-embed password that are disclosed when viewing page source. This is an obvious poor security practice and the vendor has decided not to fix it, possibly due to lack of comprehending why it is a bad idea.
c0f10c6904c19a05d1e8a3d0396455570738d1fbdff15f5f67e17fa95e061da2
Product: Embedded Jopr - JBoss AS Administration Console
Vendor: Red Hat Middleware, LLC
Version: < 1.2
Tested Version: 1.2
Vendor Notified Date: May 29, 2013
Release Date: June 03, 2013
Risk: Moderate
Authentication: Required
Remote: Yes
Description:
Passwords submitted to the application are returned in clear form in
later responses from the application. Although the password field is
masked, it is visible via the page source regardless of SSL.
This behavior increases the risk that passwords will be captured by an
attacker.
Specifically, this can be leveraged to pivot and gain access to
configured databases by viewing the page source or using browser tools
such as "inspect element" in chrome and firefox.
Successful exploitation of this vulnerability results in taking
complete control of database servers.
Exploit steps for proof-of-concept:
1. Navigate to: JBossAS Servers> JBoss AS> Resources> Datasources
2. Select Datasource
3. View page source
4. Find input type="password"
5. "value=" will contain the database password.
6. Dump database.
Vendor Notified: Yes
Vendor Response: Does not consider this to be an exploitable security
flaw due to type authenticated.
Reference:
CVE-2013-3734
http://www.halock.com/blog/cve-2013-3734-jboss-administration-console-password-returned-response/
amroot.com