malerisch.net

Time for some disclosure. Below, details of a CSRF bug discovered in Oracle GlassFish Server 3.1.1 few months ago. Interesting to observe that Oracle rates this as the third most critical bug fixed among the Oracle Sun Products. I guess that's because of the exploit which was included in the original report and which I am releasing as part of this advisory. I found a curios angle to exploit this bug, as arbitrary file upload of a WAR archive can be performed. A quite cool way to exploit a CSRF and own Oracle GlassFish, if you ask me :-). Enjoy. Details Vendor Site:  Oracle (www.oracle.com) Date:  April, 19th 2012 – CVE 2012-0550 Affected Software:  Oracle GlassFish Server 3.1.1 (build 12) Researcher:  Roberto Suggi Liverani PDF version:  http://www.security-assessment.com/files/documents/advisory/Oracle_GlassFish_Server_REST_CSRF.pdf Description Security-Assessment.com has discovered that the Oracle GlassFish Server REST interface is vulnerable to Cross Site Request F

A couple of weeks ago I have found myself working on a CSRF File Upload Proof-of-Concept (PoC) for a bug I have found in an Oracle product. I remember that Krzysztof Kotowicz did some research on a similar PoC not long time ago. A quick Google search brought me to his article on invisible arbitrary file upload in Flickr. So instead of reinventing the wheel, I have tried to use his PoC code available here . Unfortunately, the code was not working in my case and I was unsure whether that was depending on the browsers I was using (Firefox 8.0.1 and Chrome 15.0.874.121) and/or on the vulnerable application itself. Consequently, I have spent some time to come up with a PoC (or probably a good term would be a collage ) which would work in my case. The technique used is the same illustrated in Kotowicz's research and more information can be found here . In few words, the exploitation process is divided in two steps: 1) Use XHR to get a binary file and store it as a JavaScript object;