Details
-
Type:
Bug
-
Status: Resolved (View Workflow)
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 20.1.0
-
Fix Version/s: 21.0.2, Meridian-2017.1.3
-
Component/s: Web UI - Alarm Browser, Web UI - Event Browser
-
Security Level: Default (Default Security Scheme)
-
Sprint:Horizon - November 8th, Horizon - November 15th
Description
Impact
The application is vulnerable to reflected cross-site scripting (XSS). The requested data, which contains JavaScript code, is reflected in the response
Background
OpenNMS is a carrier-grade, highly integrated, open source platform designed for building network monitoring solutions. There are two distributions of OpenNMS: Meridian and Horizon. Using Meridian is advisable for enterprises and businesses looking for stability and long term support. Horizon is the place where innovation happens quickly and is ideal for monitoring new technologies and IT ecosystems. Both distributions are completely open source.
Technical Details
Attackers could trick users into following a link or navigating to a page that posts a malicious JavaScript statement to the vulnerable site, causing the malicious JavaScript to be rendered by the site and executed by the victim client. The JavaScript code could be used for several purposes including stealing user cookies or as a second step to hijacking a user's session. Another attack plan could include the possibility of inserting HTML instead of JavaScript to change/modify the contents of the vulnerable page, which could be used to trick the client.
A remote unauthenticated attacker could launch an XSS attack. The following requests can be used to inject the malicious payload by creating a favorite filter for alarms and/or events. The filter itself contains the malicious payload.
Events
GET /opennms/event/createFavorite?sortby=id&acktype=unack&limit=20&filter=nodenamelike%3D%3Cscript%3Ealert(2)%3C%2Fscript%3E&favoriteName=StoredXSS
Alarms
GET /opennms/alarm/createFavorite?sortby=id&acktype=unack&limit=10&filter=nodenamelike%3Dsds&favoriteName=sdsd<script>alert(123)</script>)
When the victim visits the main Events/Alarms page, where favorite filters are shown, the payload will be triggered.
Timeline
Oct 4, 2017: Researchers discovers vulnerability
Oct XX, 2017: IOActive contacts the vendor