Uploaded image for project: 'OpenNMS'
  1. OpenNMS
  2. NMS-10547

Cross-Frame Scripting

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 21.1.0
    • Fix Version/s: 23.0.3, Meridian-2018.1.5, 24.0.0
    • Component/s: None
    • Security Level: Default (Default Security Scheme)
    • Labels:
      None
    • Sprint:
      Horizon - January 30th-2 2019, Horizon - Feb 6th 2019

      Description

      The details of the test performed by the tool is shown below ::

      Cross-Frame Scripting ( 11293 )
      CWE: 352
      Kingdom: Security Features
      Page: https://15.112.157.208:8443/opennms/login.jsp
      Request:
      GET /opennms/login.jsp HTTP/1.1
      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
      User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/538.1 (KHTML,
      like Gecko) PhantomJS/2.1.1 Safari/538.1
      Pragma: no-cache
      Connection: Keep-Alive
      X-WIPP: AscVersion=17.10.283.0
      X-RequestManager-Memo: Category="TrafficMacro.StartMacro";
      MacroName="WebProxyGenerated"; tid="ac230de9-ee83-4990-9beb-0793f26f4d77";
      sid="29"; smi="0"; sc="1"; ID="4f5ac3db-6190-4dc0-a88c-390760f68f07";
      X-Scan-Memo: Category="Macro"; SID="F8B0AC0CA3E17D9FC2F794044D2CDC01";
      PSID="CC03D2ABCA71929C71844CE6F4FC4BBA"; SessionType="StartMacro";
      CrawlType="None"; AttackType="None"; OriginatingEngineID="00000000-0000-0000
      -0000-000000000000"; MacroName="login_macro";
      X-Request-Memo: ID="65163400-9cdb-4900-b04c-a130010db43e"; sc="1";
      ThreadId="52";
      Cookie: JSESSIONID=node0vo1069vnkrl1e1oaiwkl44x2742.node0;
      JSESSIONID=node0vo1069vnkrl1e1oaiwkl44x2742.node0;CustomCookie=WebInspect147
      212ZXC7AE1FF5E9964D538801C2DC17B75C68Y14FF
      Accept-Encoding: gzip, deflate
      Accept-Language: en-US,*
      Host: 15.112.157.208:8443

      Response:
      HTTP/1.1 200 OK
      Date: Mon, 21 Jan 2019 06:45:00 GMT
      Content-Type: text/html;charset=utf-8
      Server: Jetty(9.4.2.v20170220)
      Content-Length: 5201
      <!DOCTYPE html>
      <html xmlns='http://www.w3.org/1999/xhtml' xml:lang='en' lang='en'
      xmlns:opennms='xsds/coreweb.xsd'>
      <head>
      <title>
      OpenNMS Web Console
      </title>
      <meta http-equiv="Content-type" content="text/html; charset=utf-8" />
      <meta http-equiv="Content-Style-Type" content="text/css"/>
      <meta http-equiv="Content-Script-Type" content="text/javascript"/>
      <meta http-equiv="X-UA-Compatible" content="IE=edge"/>
      <meta name="viewport" content="initial-scale=1, maximum-scale=1, userscalable=
      no, width=device-width">
      <meta name="apple-itunes-app" content="app-id=968875097">
      <!-- Set GWT property to get browsers locale -->
      <meta name="gwt:property" content="locale=en_US">
      <base href="https://15.112.157.208:8443/opennms/" />
      <!-- -->
      <link rel="stylesheet" type="text/css"
      href="https://15.112.157.208:8443/opennms/css/bootstrap.css"
      media="screen" />
      <link rel="stylesheet" type="text/css"
      href="https://15.112.157.208:8443/opennms/css/opennms-theme.css"
      media="screen" />
      <link rel="stylesheet" type="text/css"
      href="https://15.112.157.208:8443/opennms/lib/font-awesome/css/fontawesome.
      css" />
      <link rel="stylesheet" type="text/css"
      href="https://15.112.157.208:8443/opennms/css/print.css" media="print" />
      <link rel="shortcut icon"
      href="https://15.112.157.208:8443/opennms/favicon.ico" />
      <script type="text/javascript"
      src="https://15.112.157.208:8443/opennms/lib/requirejs/require.js"></script>
      <script type="text/javascript"
      src="https://15.112.157.208:8443/opennms/js/global.js"></script>
      <script type="text/javascript"
      src="https://15.112.157.208:8443/opennms/lib/jquery/dist/jquery.js"></script
      >
      <script type="text/javascript"
      src="https://15.112.157.208:8443/opennms/lib/bootstrap/dist/js/bootstrap.js"
      ></script>
      </head>
      <body role="document"
      class="fixed-nav"
      >
      <!-- Bootstrap header -->
      <nav class="navbar navbar-inverse navbar-fixed-top" id="header"
      role="navigation">
      <!-- Brand and toggle get grouped for better mobile display -->
      <div class="navbar-header">
      <button type="button" class="navbar-toggle collapsed" datatoggle="
      collapse" data-target="#navbar" aria-expanded="false" ariacontrols="
      navbar">
      <span class="sr-only">Toggle navigation</span>
      <span class="icon-bar"></span>
      <span class="icon-bar"></span>
      <span class="icon-bar"></span>
      </button>
      <a class="navbar-brand"
      href="https://15.112.157.208:8443/opennms/index.jsp">
      <img id="logo"
      src="https://15.112.157.208:8443/opennms/images/horizon_logo.svg"
      alt="OpenNMS"
      onerror="this.src='https://15.112.157.208:8443/opennms/images/horizon_logo_s
      mall.png'" />
      </a>
      </div>
      <div style="margin-right: 15px" id="navbar" class="navbar-collapse
      collapse">
      <ul class="nav navbar-nav navbar-right">
      </ul>
      </div>
      </nav>
      <script type='text/javascript'>
      if (window.location != window.parent.location && window.name.indexOf("-withheader")
      == -1)

      { // Hide the header $("#header").hide(); // Remove any padding from the body $("body.fixed-nav").attr('style', 'padding-top: 0px !important'); }

      </script>
      <!-- End bootstrap header -->
      <!-- Body -->
      <div id="content" class="container-fluid">
      <div class="row row-centered login">
      <div class="col-md-6 col-centered">
      <form class="form-horizontal" role="form"
      action="j_spring_security_check" method="post">
      <div class="form-group">
      <label for="input_j_username" class="col-sm-4 controllabel">
      Username</label>
      <div class="col-sm-8">
      <input type="text" class="form-control" id="input_j_username"
      name="j_username"
      placeholder="Username" autofocus="autofocus" />
      </div>
      </div>
      <div class="form-group">
      <label for="j_password" class="col-sm-4
      ...TRUNCATED...

        Attachments

          Activity

            People

            • Assignee:
              mbrooks Matthew Brooks
              Reporter:
              j-white Jesse White
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: