Details

    • Type: Sub-task
    • Status: Resolved (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 26.0.0
    • Component/s: None
    • Security Level: Default (Default Security Scheme)
    • Labels:
      None
    • Sprint:
      Horizon 2020 - March 18th, Horizon 2020 - April 1st

      Description

      [RIPS] found 3 Open Redirect issues in the following files of OpenNMS 25.1.2:

      AcknowledgeAlarmController
      https://github.com/OpenNMS/opennms/blob/master/opennms-webapp/src/main/java/org/opennms/web/controller/alarm/AcknowledgeAlarmController.java
      AcknowledgeNotificationController
      https://github.com/OpenNMS/opennms/blob/master/opennms-webapp/src/main/java/org/opennms/web/controller/notification/AcknowledgeNotificationController.java
      AcknowledgeAlarmByFilterController
      https://github.com/OpenNMS/opennms/blob/master/opennms-webapp/src/main/java/org/opennms/web/controller/alarm/AcknowledgeAlarmByFilterController.java

      The first issue can be exploited via the GET parameter `redirect` by accessing the following URL:
      `http://192.168.56.102:8980/opennms/alarm/acknowledge?redirect=http://google.com&actionCode=unack&alarm=1`

      The second issue can be exploited via the GET parameter `redirect` by accessing the following URL:
      `192.168.56.102:8980/opennms/notification/acknowledge?redirect=http://google.com&notices=1`

      The third issue can be exploited via the GET parameter `redirect` by accessing the following URL:
      `http://192.168.56.102:8980/opennms/alarm/acknowledgeByFilter?redirect=http://google.com&actionCode=unack`

      For more information about fixing an OpenRedirect see:

      https://owasp.org/www-project-cheat-sheets/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html

        Attachments

          Activity

            People

            Assignee:
            patrick.schweizer Patrick Schweizer
            Reporter:
            patrick.schweizer Patrick Schweizer
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: