Uploaded image for project: 'OpenNMS'
  1. OpenNMS
  2. NMS-10546

Cross-Site Scripting: Reflected

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 21.1.0
    • Fix Version/s: 23.0.3, Meridian-2018.1.5, 24.0.0
    • Component/s: None
    • Security Level: Default (Default Security Scheme)
    • Labels:
      None
    • Sprint:
      Horizon - January 30th-2 2019

      Description

      The details of the test performed by the tool is shown below ::

      Cross-Site Scripting: Reflected ( 5649 )

      CWE: 79,80,82,83,87,116,692,811
      Kingdom: Input Validation and Representation

      Page: https://15.112.157.208:8443/opennms/frontPage.htm
      Parameter: Accept-Language

      Request:
      GET /opennms/frontPage.htm HTTP/1.1
      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
      User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/538.1 (KHTML,
      like Gecko) PhantomJS/2.1.1 Safari/538.1
      Pragma: no-cache
      Referer: https://15.112.157.208:8443/opennms/frontPage.htm
      Connection: Keep-Alive
      X-WIPP: AscVersion=17.10.283.0
      X-Scan-Memo: Category="Audit.Attack";
      SID="032FEDE11F0B7A13B81D5286087ED859";
      PSID="CC03D2ABCA71929C71844CE6F4FC4BBA"; SessionType="AuditAttack";
      CrawlType="None"; AttackType="HeaderParamManipulation";
      OriginatingEngineID="1354e211-9d7d-4cc1-80e6-4de3fd128002";
      AttackSequence="2"; AttackParamDesc="Accept-Language"; AttackParamIndex="9";
      AttackParamSubIndex="0"; CheckId="5105"; Engine="Cross+Site+Scripting";
      SmartMode="NonServerSpecificOnly"; AttackString="en-US%2c*%22%3e%3csCrIpT%
      3ealert(51785)%3c%2fsCrIpT%3e"; AttackStringProps="Attack"; ThreadId="55";
      ThreadType="AuditorStateRequestor";
      X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="37df69df-d87a-4b01-
      a62f-2f706dfca94f";
      X-Request-Memo: ID="34d098f6-6be6-4389-98f5-24aa971c5ec6"; sc="1";
      ThreadId="55";
      Cookie:
      JSESSIONID=node0kgegg0ggojmuz9p5bzmq2qs6749.node0;CustomCookie=WebInspect147
      212ZXC7AE1FF5E9964D538801C2DC17B75C68Y14FF;JSESSIONID=node0kgegg0ggojmuz9p5b
      zmq2qs6749.node0
      Accept-Encoding: gzip, deflate
      Accept-Language: en-US,*"><sCrIpT>alert(51785)</sCrIpT>
      Host: 15.112.157.

       

      Response:
      HTTP/1.1 403 Forbidden
      Date: Mon, 21 Jan 2019 06:45:29 GMT
      Content-Type: text/html;charset=utf-8
      Server: Jetty(9.4.2.v20170220)
      Content-Length: 10983
      ...TRUNCATED... -->
      <meta name="gwt:property" content="locale=*"><script>alert(51785)</script>
      ">
      <base href="https://15.112.157.208:8...TRUNCATED...

        Attachments

          Activity

            People

            • Assignee:
              mbrooks Matthew Brooks
              Reporter:
              j-white Jesse White
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: