Core Security Technologies Discovers Vulnerability in Springsource Hyperic HQ


Users Vulnerable to Cross-Site Scripting Flaw in Enterprise Monitoring and Systems Management Package

BOSTON, MA – Oct. 2, 2009 - Core Security Technologies, provider of CORE IMPACT, the most comprehensive product for proactive enterprise security testing, today issued an advisory disclosing a vulnerability that could affect the many users of SpingSource’s Hyperic HQ enterprise monitoring and systems management software.

CoreLabs, the research arm of Core Security Technologies, discovered multiple cross-site scripting (XSS) vulnerabilities in the web interface of Hyperic HQ that can be exploited by an attacker to take control of the application and potentially any systems that it is connected to. Specifically, the vulnerability can be exploited by an attacker to execute arbitrary JavaScript code in the context of the browser of users conducting an authenticated session with the application. The vulnerabilities can be exploited remotely by enticing legitimate users to click on a URL with specially crafted parameters or through stored content that get is executed when authenticated users visit various web pages within Hyperic HQ.

Made by SpringSource, a division of virtualization software maker VMWare, Hyperic HQ is an open source program designed to manage web applications and various elements of IT infrastructure. It auto-discovers system resources (including hardware, operating systems and databases), and is able to monitor a range of hosts and services.

“Cross-site scripting continues to represent a significant point of risk in relation to many forms of online applications and web sites, allowing for attackers to gain control of the victim’s web browsers and use them to infiltrate mission-critical systems, or redirect users to nefarious content,” said Ivan Arce, CTO of Core Security Technologies. “In this particular case, the vulnerabilities found could be used to further escalate attacks by running scripts in the server hosting the application, which exemplifies the potential of multi-staged attacks that start by exploiting simple XSS bugs.””

SpringSource has received and acknowledged the report of this vulnerability in September 2009 and addressed it with a security patch.

Information on this patch and a related security bulletin published by the vendor can be found at:

For more information on this vulnerability and the systems affected, please visit:

Vulnerability Specifics

CoreLabs initially discovered the vulnerability in Hyperic HQ as part of its ongoing research efforts. The flaw specifically affects Hyperic HQ versions 3.2, 4.0, 4.1 and the 4.2 beta release. Earlier unsupported, versions may also be affected.

Researchers specifically isolated multiple cross-site scripting vulnerabilities (both stored and reflected) in Hyperic HQ’s web interface that can be exploited by an attacker to execute arbitrary JavaScript code in the context of the browser of a legitimate, logged-in user.

The first instance, a reflected XSS vulnerability, was discovered in the product’s generic exception handler. When an un-cached exception is present in Hyperic HQ, this generic exception handler is invoked and shows a stack trace, including the data that caused the error, without sanitizing it, leading to the reflected XSS issue.

The XSS flaw can be triggered by sending invalid data for numeric parameters to Hyperiq HQ, causing the web application to print the data that caused the exception without escaping HTML characters, leading to the XSS vulnerability.

The second instance, a stored XSS vulnerability, was found in the 'Alerts' list of Hyperic HQ. An authenticated Hyperic user can create an alert with JavaScript code in the 'Description' field and when a user visits the 'Alerts' list the 'Description' field of every alert is displayed without properly escaping especial HTML characters, thus leading to a persistent XSS issue.

The Hyperic HQ Web interface also includes a console that allows administrators to run Groovy code directly in the Hyperic server. That code is executed in the same process as the Hyperic server. So, by exploiting any of these XSS vulnerabilities to steal an administrator cookie, and by running arbitrary Groovy code through the web console, it appears that it is not only possible to compromise the web application itself, but to fully compromise any machine on which the Hyperic software is running.

SpringSource has received and acknowledged the report of this vulnerability in September 2009 and released a security patch for affected versions of the product.

This vulnerability was discovered and researched by Gaston Rey and Pablo Carballo of CoreLabs during the Core Bugweek 2009 internal security assessment project.

About CoreLabs

CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. Research is conducted in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing and cryptography. Results from these efforts include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies.

CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at:

About Core Security Technologies

Core Security Technologies is the leader in comprehensive penetration testing software solutions that IT executives rely on to expose vulnerabilities, measure operational risk and assure security effectiveness. The company’s CORE IMPACT product family offers a comprehensive approach to assessing the security of network systems, endpoint systems, email users and web applications against complex threats. All CORE IMPACT security testing solutions are backed by trusted vulnerability research and leading-edge threat expertise from the company’s Security Consulting Services, CoreLabs and Engineering groups. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at:


Tim Whitman or Lauren O’Leary

Schwartz Communications

781 684-0770

Mon, October 05