Hyperic HQ Enterprise 4.5.1 Cross Site Scripting and Multiple Unspecified Security Vulnerabilities

2011-11-01T00:00:00
ID EDB-ID:36275
Type exploitdb
Reporter Benjamin Kunz Mejri
Modified 2011-11-01T00:00:00

Description

Hyperic HQ Enterprise 4.5.1 Cross Site Scripting and Multiple Unspecified Security Vulnerabilities. Webapps exploit for jsp platform

                                        
                                            source: http://www.securityfocus.com/bid/50456/info

Hyperic HQ Enterprise is prone to a cross-site scripting vulnerability and multiple unspecified security vulnerabilities.

An attacker may leverage the cross-site scripting issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and steal cookie-based authentication credentials. The impact of other issues is unknown.

These issues affect Hyperic HQ Enterprise 4.5.1; other versions may also be affected. 

Proof of Concept:
=================
The vulnerabilities can be exploited by remote attackers or local & low privileged user accounts.
For demonstration or reproduce ...

1.1
Code Review: HQ Roles  [IVE - Persistent]

<td width="30%" class="BlockContent">
<!-- END VIEW MODE --> 
</td></tr><tr valign="top">
<td width="20%" class="BlockLabel">Dashboard Name:</td>
<td width="30%" class="BlockContent">
<span id="dashboardString">New Role Dashboard</span></td>
<td width="20%" class="BlockLabel"></td>
<td width="30%" class="BlockContent"></td></tr></table>
<!--  /  -->


Code Review: java.security.krb5.kdc   Module: HQ Health / HQ Process Information & Diagnostics  [IVE - Persistent]

- java.rmi.server.codebase = http://h1461735:9093/ 
- java.rmi.server.hostname = h1461735 
- java.runtime.name = Java(TM) SE Runtime Environment 
- java.runtime.version = 1.6.0_13-b03 
- java.security.krb5.kdc = >"<INCLUDE/EXECUTE PERSISTENT SCRIPT CODE HERE!!!> 
- java.security.krb5.realm = >"<INCLUDE/EXECUTE PERSISTENT SCRIPT CODE HERE!!!> 
- java.specification.name = Java Platform API Specification 
- java.specification.vendor = Sun Microsystems Inc. 
- java.specification.version = 1.6 
- java.vendor = Sun Microsystems Inc. 

.../PoC/printReport(poc).hqu



Code Review: Browse - Monitor - Indikators  [IVE - Persistent]


hyperic.data.escalation.pauseSelect.options[12] = new Option("72 hours", "259200000");
hyperic.data.escalation.pauseSelect.options[13] = new Option("Until Fixed", "9223372036854775807");
</script>
<title>
HQ View Application Monitor Current Health - >"<INCLUDE/EXECUTE PERSISTENT SCRIPT CODE HERE!!!>
</title>
<script type="text/javascript">
var onloads = [];
function initOnloads() {
            if (arguments.callee.done) return;

... or

  hyperic.data.escalation.pauseSelect.options[12] = new Option("72 hours", "259200000");
  hyperic.data.escalation.pauseSelect.options[13] = new Option("Until Fixed", "9223372036854775807");
</script>
  <title>
   >"<INCLUDE/EXECUTE PERSISTENT SCRIPT CODE HERE!!!>
  </title>
    <script type="text/javascript">
        var onloads = [];
         function initOnloads() {
        
            if (arguments.callee.done) return;
            arguments.callee.done = true;
           if(typeof(_timer)!="undefined") clearInterval(_timer);
           for ( var i = 0 ; i < onloads.length ; i++ )
             onloads[i]();



Code Review: Applications ďż˝ All Applications - Topic  [IVE - Persistent]

<li class="hasSubmenu"><a href="">Recently Viewed</a><div><ul>
<li><a href="/Resource.do?eid=4:10001">"<INCLUDE/EXECUTE PERSISTENT SCRIPT CODE HERE!!!>;
</a></li></ul></div></li></ul></div></li><li id="analyzeTab"><a href="#">Analyze</a><div><ul>



Code Review: General Properties - Inventory over Exception-Handling [IVE - Persistent]

<div id="exception27" style="visibility:hidden">javax.servlet.jsp.JspTagException: javax.servlet.jsp.JspException: 
An error occurred while evaluating custom action attribute "sort" with value "${param.scs}": An exception occured trying to convert 
String ">"<INCLUDE/EXECUTE PERSISTENT SCRIPT CODE HERE!!!>" to type "java.lang.Integer"
  at org.hyperic.hq.ui.taglib.display.TableTag.evalAttr(TableTag.java:1456)
  at org.hyperic.hq.ui.taglib.display.TableTag.evalAttr(TableTag.java:1438)
  at org.hyperic.hq.ui.taglib.display.TableTag.evaluateAttributes(TableTag.java:1517)
  at org.hyperic.hq.ui.taglib.display.TableTag.doStartTag(TableTag.java:226)
  at org.apache.jsp.resource.application.inventory.ListServices_jsp._jspx_meth_display_005ftable_005f0(Unknown Source)
  at org.apache.jsp.resource.application.inventory.ListServices_jsp._jspx_meth_html_005fform_005f0(Unknown Source)
  at org.apache.jsp.resource.application.inventory.ListServices_jsp._jspService(Unknown Source)
  at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
  at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:654)
  at org.apache.catalina.core.ApplicationDispatcher.doInclude(ApplicationDispatcher.java:557)
  at org.apache.catalina.core.ApplicationDispatcher.include(ApplicationDispatcher.java:481)
  at org.apache.jasper.runtime.JspRuntimeLibrary.include(JspRuntimeLibrary.java:968)
  at org.apache.jasper.runtime.PageContextImpl.include(PageContextImpl.java:609)
  at org.apache.struts.tiles.TilesUtilImpl.doInclude(TilesUtilImpl.java:99)
  at org.apache.struts.tiles.TilesUtil.doInclude(TilesUtil.java:135)
  at org.apache.struts.taglib.tiles.InsertTag.doInclude(InsertTag.java:760)
  at org.apache.struts.taglib.tiles.InsertTag$InsertHandler.doEndTag(InsertTag.java:892)
  at org.apache.struts.taglib.tiles.InsertTag.doEndTag(InsertTag.java:462)
  at org.apache.jsp.resource.application.inventory.ViewApplication_jsp._jspx_meth_tiles_005finsert_005f8(Unknown Source)
  at org.apache.jsp.resource.application.inventory.ViewApplication_jsp._jspService(Unknown Source)
  at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
  at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:654)
  at org.apache.catalina.core.ApplicationDispatcher.doInclude(ApplicationDispatcher.java:557)
  at org.apache.catalina.core.ApplicationDispatcher.include(ApplicationDispatcher.java:481)
  at org.apache.jasper.runtime.JspRuntimeLibrary.include(JspRuntimeLibrary.java:968)
  at org.apache.jasper.runtime.PageContextImpl.include(PageContextImpl.java:609)
  at org.apache.struts.tiles.TilesUtilImpl.doInclude(TilesUtilImpl.java:99)
  at org.apache.struts.tiles.TilesUtil.doInclude(TilesUtil.java:135)
  at org.apache.struts.taglib.tiles.InsertTag.doInclude(InsertTag.java:760)
  at org.apache.struts.taglib.tiles.InsertTag$InsertHandler.doEndTag(InsertTag.java:892)
  at org.apache.struts.taglib.tiles.InsertTag.doEndTag(InsertTag.java:462)
  at org.apache.jsp.portal.ColumnsLayout_jsp._jspx_meth_tiles_005finsert_005f0(Unknown Source)
  at org.apache.jsp.portal.ColumnsLayout_jsp._jspx_meth_c_005fforEach_005f1(Unknown Source)
  at org.apache.jsp.portal.ColumnsLayout_jsp._jspx_meth_c_005fforEach_005f0(Unknown Source)
  at org.apache.jsp.portal.ColumnsLayout_jsp._jspService(Unknown Source)
  at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
  at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:654)
  at org.apache.catalina.core.ApplicationDispatcher.doInclude(ApplicationDispatcher.java:557)
  at org.apache.catalina.core.ApplicationDispatcher.include(ApplicationDispatcher.java:481)
  at org.apache.jasper.runtime.JspRuntimeLibrary.include(JspRuntimeLibrary.java:968)
  at org.apache.jasper.runtime.PageContextImpl.include(PageContextImpl.java:609)
  at org.apache.struts.tiles.TilesUtilImpl.doInclude(TilesUtilImpl.java:99)
  at org.apache.struts.tiles.TilesUtil.doInclude(TilesUtil.java:135)
  at org.apache.struts.taglib.tiles.InsertTag.doInclude(InsertTag.java:760)
  at org.apache.struts.taglib.tiles.InsertTag$InsertHandler.doEndTag(InsertTag.java:892)
  at org.apache.struts.taglib.tiles.InsertTag.doEndTag(InsertTag.java:462)
  at org.apache.jsp.portal.MainLayout_jsp._jspx_meth_tiles_005finsert_005f2(Unknown Source)
  at org.apache.jsp.portal.MainLayout_jsp._jspService(Unknown Source)
  at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
  at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:654)
  at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:445)
  at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:379)
  at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:292)
  at org.apache.struts.action.RequestProcessor.doForward(RequestProcessor.java:1085)
  at org.apache.struts.tiles.TilesRequestProcessor.doForward(TilesRequestProcessor.java:263)
  at org.apache.struts.tiles.TilesRequestProcessor.processTilesDefinition(TilesRequestProcessor.java:239)
  at org.apache.struts.tiles.TilesRequestProcessor.internalModuleRelativeForward(TilesRequestProcessor.java:341)
  at org.apache.struts.action.RequestProcessor.processForward(RequestProcessor.java:572)
  at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:221)
  at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1196)
  at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:414)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
  at org.hyperic.hq.ui.AuthenticationFilter.doFilter(AuthenticationFilter.java:167)
  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
  at org.hyperic.hibernate.filter.SessionFilter$1.run(SessionFilter.java:59)
  at org.hyperic.hq.hibernate.SessionManager.runInSessionInternal(SessionManager.java:79)
  at org.hyperic.hq.hibernate.SessionManager.runInSession(SessionManager.java:68)
  at org.hyperic.hibernate.filter.SessionFilter.doFilter(SessionFilter.java:57)
  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
  at org.tuckey.web.filters.urlrewrite.RuleChain.handleRewrite(RuleChain.java:164)
  at org.tuckey.web.filters.urlrewrite.RuleChain.doRules(RuleChain.java:141)
  at org.tuckey.web.filters.urlrewrite.UrlRewriter.processRequest(UrlRewriter.java:90)
  at org.tuckey.web.filters.urlrewrite.UrlRewriteFilter.doFilter(UrlRewriteFilter.java:417)
  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
  at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
  at org.hyperic.hq.product.servlet.filter.JMXFilter.doFilter(JMXFilter.java:322)
  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
  at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
  at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
  at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:182)
  at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
  at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
  at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
  at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
  at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
  at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
  at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
  at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
  at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
  at java.lang.Thread.run(Unknown Source) </div>


1.2
References:
http://www.example.com/admin/role/RoleAdmin.do?mode=new
http://www.example.com/hqu/health/health/printReport.hqu
http://www.example.com/Resource.do?eid=4:10001
http://www.example.com/ResourceHub.do
http://www.example.com/resource/application/Inventory.do?mode=view&accord=3&eid=4:10001&sos=dec&scs=




Code Review: Escalation Schemes Configuration [XSS]

http://www.example.com/admin/config/Config.do?mode=escalate&escId=[INCLUDE CLIENT_SIDE SCRIPTCODE HERE!!!]

References:
http://www.example.com/admin/config/Config.do?mode=escalate&escId=