Exploit for GWT-RPC
169 views
Skip to first unread message
opn
Jul 28, 2011, 8:43:53 AM7/28/11
to Google Web Toolkit
I just read this:
http://www.allinfosec.com/2011/07/27/webapps-0day-ca-arcserve-d2d-r15-gwt-rpc-multiple-vulnerabilities/
I'm far from being an expert in security stuff, so my question is if
it's also an app-server specific problem that makes this possible
(Microsoft Windows Server 2003 r2 sp2) or if it does not matter on
which server it runs?
What can one do against this?
Regards
Alex
http://www.allinfosec.com/2011/07/27/webapps-0day-ca-arcserve-d2d-r15-gwt-rpc-multiple-vulnerabilities/
I'm far from being an expert in security stuff, so my question is if
it's also an app-server specific problem that makes this possible
(Microsoft Windows Server 2003 r2 sp2) or if it does not matter on
which server it runs?
What can one do against this?
Regards
Alex
Filipe Sousa
Jul 28, 2011, 9:13:56 AM7/28/11
to google-we...@googlegroups.com
I believe that's a problem with the web application. The attacker is calling the unprotected method HomepageService.getLocalHost() that returns a TrustHostModel with a hostname, password, port, user, userid,...
I'm not a security expert, but I would never request a password from server.
Jens
Jul 28, 2011, 9:25:07 AM7/28/11
to google-we...@googlegroups.com
It's app specific, so its not a bug in GWT-RPC nor does it depend on the app server you use.
-- J.
opn
Jul 28, 2011, 9:58:41 AM7/28/11
to Google Web Toolkit
Ok, thanks for the information, that's good news!
Reply all
Reply to author
Forward
0 new messages