--------------------------------------------------------------------------- 
              Two Vulnerabilities in OpenWFE 
--------------------------------------------------------------------------- 
 
Author: Jose Antonio Coret (Joxean Koret) 
Date: 2004  
Location: Basque Country 
 
--------------------------------------------------------------------------- 
 
Affected software description: 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
 
OpenWFE - Open WorkFlow Engine v1.4.x 
 
OpenWFE is an open source java workflow engine. 
It is a complete Business  
Process Management suite, with 4 components : 
an engine, a worklist, a  
webclient and a reactor (host for automatic 
agents). It can also be used  
behind the scene. 
 
Web : http://www.openwfe.org 
 
--------------------------------------------------------------------------- 
 
Vulnerabilities: 
~~~~~~~~~~~~~~~~ 
 
A. Cross Site Scripting Vulnerability in the 'Login 
Form' of the Web Client. 
 
A1. In the login form of the Web Client you has 3 
fields :  
 
	1.- The URL of the RMI Remote Service 
	2.- The username 
	3.- The Password 
	 
Well, the URL field is vulnerable to an XSS attack 
due to no input validation.  
To test the problem follow these steps :  
 
	1.- Go to any site that have the OpenWFE 
webclient 
	2.- In the Worklist URL field insert, in example, 
the following data :  
	 
	
rmi://localhost:7080/workSessionServer"><script>alert(document.cookie)</script> 
 
	or this 
 
	rmi://<h1>hi</h1>:7099/workSessionServer 
 
	3.- Enter any username and password, and 
press the button to login. 
 
B. Possible Port Scanner 
 
B1. The field worklist URL is like this -> 
 
	rmi://<hostname>:<port>/location 
 
Due to the Worklist URL parameter's nature is 
possible to create a simple port/host  
scanner from the perspective of the OpenWFE 
host. 
 
Example :  
 
	Query -> rmi://server/workSessionServer 
	Response Time -> 1 second 
	Response -> Error : 
java.rmi.UnknownHostException: Unknown host 
 
	Query -> 
rmi://localhost:709/workSessionServer 
	Response Time -> 1 second 
	Response -> Error : 
java.rmi.ConnectException: Connection refused to 
	host 
 
	Query -> 
rmi://localhost:7085/workSessionServer 
	Response Time -> 5 seconds 
	Response -> Error : 
java.rmi.ConnectIOException: error during JRMP 
	connection establishment 
 
	Query -> 
rmi://drill.hackerslab.org:23/workSessionServer 
	Response Time -> Greater that 5 seconds 
	Response ->   
	Error : java.rmi.ConnectIOException: non-JRMP 
server at remote endpoint 
 
	Query -> rmi://192.168.1.2/workSessionServer 
	Response Time -> Greater than 30 seconds 
	Response -> No response, no timeout 
 
Depending on the Response Time and the 
Response is quite easy to create a simple  
port/host scanner. 
 
The fix: 
~~~~~~~~ 
 
The problems has been fixed in the latest release 
of the OpenWFE's web client. 
Go to http://www.openwfe.org for more information 
about the patch. 
 
Disclaimer: 
~~~~~~~~~~~ 
 
The information in this advisory and any of its 
demonstrations is provided 
"as is" without any warranty of any kind. 
 
I am not liable for any direct or indirect damages 
caused as a result of 
using the information or demonstrations provided 
in any part of this 
advisory.  
 
--------------------------------------------------------------------------- 
 
Contact: 
~~~~~~~~ 
 
 Joxean Koret at 
joxeanpiti<<<<<<<<@>>>>>>>>yah00<<<<<<dot>>>>>es