'Re: [oss-security] CVE request: Javamelody blind XSS through X-Forwarded-For header'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE request: Javamelody blind XSS through X-Forwarded-For header
From:       Rafael Luque <rafael.luque.leiva () gmail ! com>
Date:       2013-09-27 8:29:34
Message-ID: CAJfirP=aPxvzzQWXb70GtioRnVETgohdb-vrkPu8Z9Pc60Di=g () mail ! gmail ! com
[Download RAW message or body]


The issue has already been fixed in the trunk (revision 3515):
http://code.google.com/p/javamelody/source/detail?r=3515

It's ready for the next release (1.47) and a new build including the fix
it's available at:
https://javamelody.googlecode.com/files/javamelody-20130927.jar

The release 1.47, including that fix, is supposed to be released in just a
few days from now.

Rafa


2013/9/27 Kurt Seifried <kseifried@redhat.com>

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 09/26/2013 12:01 PM, Rafael Luque wrote:
> > Javamelody [1] includes a blind XSS vulnerability. An attacker
> > could provide an specially-crafted "X-Forwarded-For" HTTP header
> > while visiting a Java web application monitored with Javamelody
> > that would lead to arbitrary HTML or Javascript execution in the
> > context of the administrator user monitoring the panel of active
> > sessions in the application.
> >
> > The versions affected are the last one 1.46 and all the previous
> > that include the session monitoring panel feature.
> >
> > The issue has been reported to the project [2] but whithout
> > response by now.
> >
> > The proof of concept may use the own Javamelody online demo:
> >
> > 1. Access the demo site [3] using a fake X-Forwarded-For header
> > like the following: <script>alert('xss')</script> 2. Then visit the
> > Javamelody sessions monitoring page at [4] and you should see the
> > Javascript running.
> >
> > Can you allocate a CVE identifier for this?
> >
> > Thank you && Regards,
> >
> > Rafael Luque
> >
> > [1] https://code.google.com/p/javamelody/ [2]
> > https://code.google.com/p/javamelody/issues/detail?id=346 [3]
> > http://demo.javamelody.cloudbees.net/ [4]
> > http://demo.javamelody.cloudbees.net/monitoring?part=sessions
> >
>
> Please use CVE-2013-4378 for this issue.
>
> - --
> Kurt Seifried Red Hat Security Response Team (SRT)
> PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.14 (GNU/Linux)
>
> iQIcBAEBAgAGBQJSRSIPAAoJEBYNRVNeJnmTESUP/03uh70VX0qS3yLBakwMFrpB
> zUKnQElyqJzMh7N7Q0wBUk+eJPB5scJYqMeoi7HnCgyQPeuk0NGk3cmQT/DP/uXo
> fs1ajYEX4KJS4ydKAdytvj1qI9aJdJF6cLoIf0ri7ZHtcbaFnFclYeaTXf9269L9
> R1qJaM5+d3if8a3FGOXQbhDTFiY7ohzDzl/OsRybHTll8Z4UxaC+IlMgbMkDscHU
> VVqQ6y0w7vqTyeG4vNhuE+XEeUmZxKdxNUQTsMqOhYGi4AS+unm553aQ+DAMeD9y
> MODbkdAolh2CJkZsWdI8tfLQmWkRZ0FP8L5TQXkcu+EeE8aFdtlxoWPVU4PTXAak
> LXCuMNQEG5ig/MNdYkNwTudBgRCUYKi50ek3XSf4tkovyNP+L9Lw3t/+5/EWpWg3
> Y58hpzOKpL8ieRlrIFzW8rxOV0xFitn+aontZKuwxFv6wa+Av/Ku9eUvEZlkYmx1
> LKzERCCz2V9dtjn0W/zpWf8Mg3A+KqST+7M22M0m9G4OwmIFwyWifs9TvigDwg/r
> X4QbiJ9G8eWCk2Lpw1DNFVPoamIPoynYfRcOfQeC/P81QqeAyJ9yeejeIosR5TDc
> 9yP2VPJJZ7ufGMqwy/u8k/3VkKNSMQykX03u/t7GpyriZnw4DNvjd/PTynNvZMsL
> IfKZCYKOkAqx7SqL+tD6
> =Id6a
> -----END PGP SIGNATURE-----
>


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic