Safetech Blog - Security Tips and Tricks


by Ionut Cernica

AT&T – Old version of JBoss and default credentials

I found an old JBoss console on one of the AT&T subdomains https://espcare.att.com/

There was an old version of JBoss web application, the application was vulnerable to authentication bypass, not to mention that I was able to authenticate with default username and password.

Risk: I was able to deploy my desired application on the server and to send system commands.

 

I’ve made an responsible disclosure on 17.03.2014.

They asked me 2 questions:

“Our development team is needing answers to the following questions:

1.            Would upgrading our JBOSS version will fix the issue? If yes, what version is being recommended as there could be a case where we need to check inter compatibility between multiple software we have installed on the server.

2.            Do we need to change the credentials of jmx console?”

I tried hard not to be ironic when giving the answers.

They announced me on 17.05.2014 that they solved the problem!

567 total views, 1 views today





Leave a Reply

Your email address will not be published. Required fields are marked *