Uploaded image for project: 'OpenNMS'
  1. OpenNMS
  2. NMS-13496

Reflected XSS in webapp notice wizard

    XMLWordPrintable

Details

    • No
    • NB

    Description

      A customer's internal pen-testing has identified a reflected cross-site scripting vulnerability in the notice wizard flow of the main OpenNMS webapp.

      Steps to reproduce:

      1) Log in as an admin user
      2) Paste the following primary attack URL into your browser's address bar, substituting protocol, hostname, and port as needed:

      http://localhost:8980/opennms/admin/notification/noticeWizard/buildPathOutage.jsp?newRule=IPADDR+IPLIKE+*.*.*.*%22%3e%3cscript%3ealert(document.cookie)%3c/script%3e&showNodes=on

      Expected result: A weird-looking rule renders into the filter rule input
      Actual result: JS popup dumping the user's cookies

      3) Paste the following secondary attack URL into your browser's address bar, adjusted as needed:

      http://localhost:8980/opennms/admin/notification/noticeWizard/buildPathOutage.jsp?newRule=IPADDR+IPLIKE+*.*.*.*"><h1><a/href=javascript:alert(document.cookie)>Click Here!!!</a></h1>&showNodes=on]

      Expected result: A weird-looking rule renders into the filter rule input
      Actual result: Weird-looking rule renders, followed by a hyperlink which, when clicked, results in a JS popup dumping the user's cookies

      4) From the Admin menu, click on Configure Notifications -> Configure Event Notifications. Click the "Add New Event Notification" button (these preliminary steps populate the necessary objects in the user's web session to set up the attack). Then, paste the following attack URL into your browser's address bar, adjusted as needed:

      http://localhost:8980/opennms/admin/notification/noticeWizard/buildPathOutage.jsp?newRule=IPADDR+IPLIKE+*.*.*.*&criticalIp=1.2.3.4%27%3e%3cscript%3ealert(document.cookie)%3c/script%3e&showNodes=on

      Expected result: A weird-looking value renders into the "Critical Path IP Address"
      Actual result: JS popup dumping the user's cookies

      5) Paste the following attack URL into your browser's address bar:

      http://localhost:8980/opennms/admin/notification/noticeWizard/buildRule.jsp?newRule=IPADDR+IPLIKE+*.*.*.*%22><script>alert(document.cookie)</script>

      Expected result: Weirdness in the filter rule input field
      Actual result: JS popup dumping the user's cookies

      Attachments

        Activity

          People

            jeffg Jeff Gehlbach
            jeffg Jeff Gehlbach
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.