Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: CVE request: Javamelody blind XSS through X-Forwarded-For header
From: Rafael Luque <rafael.luque.leiva () gmail com>
Date: Fri, 27 Sep 2013 10:29:34 +0200

The issue has already been fixed in the trunk (revision 3515):
http://code.google.com/p/javamelody/source/detail?r=3515

It's ready for the next release (1.47) and a new build including the fix
it's available at:
https://javamelody.googlecode.com/files/javamelody-20130927.jar

The release 1.47, including that fix, is supposed to be released in just a
few days from now.

Rafa


2013/9/27 Kurt Seifried <kseifried () redhat com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/26/2013 12:01 PM, Rafael Luque wrote:
Javamelody [1] includes a blind XSS vulnerability. An attacker
could provide an specially-crafted "X-Forwarded-For" HTTP header
while visiting a Java web application monitored with Javamelody
that would lead to arbitrary HTML or Javascript execution in the
context of the administrator user monitoring the panel of active
sessions in the application.

The versions affected are the last one 1.46 and all the previous
that include the session monitoring panel feature.

The issue has been reported to the project [2] but whithout
response by now.

The proof of concept may use the own Javamelody online demo:

1. Access the demo site [3] using a fake X-Forwarded-For header
like the following: <script>alert('xss')</script> 2. Then visit the
Javamelody sessions monitoring page at [4] and you should see the
Javascript running.

Can you allocate a CVE identifier for this?

Thank you && Regards,

Rafael Luque

[1] https://code.google.com/p/javamelody/ [2]
https://code.google.com/p/javamelody/issues/detail?id=346 [3]
http://demo.javamelody.cloudbees.net/ [4]
http://demo.javamelody.cloudbees.net/monitoring?part=sessions


Please use CVE-2013-4378 for this issue.

- --
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iQIcBAEBAgAGBQJSRSIPAAoJEBYNRVNeJnmTESUP/03uh70VX0qS3yLBakwMFrpB
zUKnQElyqJzMh7N7Q0wBUk+eJPB5scJYqMeoi7HnCgyQPeuk0NGk3cmQT/DP/uXo
fs1ajYEX4KJS4ydKAdytvj1qI9aJdJF6cLoIf0ri7ZHtcbaFnFclYeaTXf9269L9
R1qJaM5+d3if8a3FGOXQbhDTFiY7ohzDzl/OsRybHTll8Z4UxaC+IlMgbMkDscHU
VVqQ6y0w7vqTyeG4vNhuE+XEeUmZxKdxNUQTsMqOhYGi4AS+unm553aQ+DAMeD9y
MODbkdAolh2CJkZsWdI8tfLQmWkRZ0FP8L5TQXkcu+EeE8aFdtlxoWPVU4PTXAak
LXCuMNQEG5ig/MNdYkNwTudBgRCUYKi50ek3XSf4tkovyNP+L9Lw3t/+5/EWpWg3
Y58hpzOKpL8ieRlrIFzW8rxOV0xFitn+aontZKuwxFv6wa+Av/Ku9eUvEZlkYmx1
LKzERCCz2V9dtjn0W/zpWf8Mg3A+KqST+7M22M0m9G4OwmIFwyWifs9TvigDwg/r
X4QbiJ9G8eWCk2Lpw1DNFVPoamIPoynYfRcOfQeC/P81QqeAyJ9yeejeIosR5TDc
9yP2VPJJZ7ufGMqwy/u8k/3VkKNSMQykX03u/t7GpyriZnw4DNvjd/PTynNvZMsL
IfKZCYKOkAqx7SqL+tD6
=Id6a
-----END PGP SIGNATURE-----


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault