lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Mon, 9 Apr 2018 14:36:20 +0000
From: Simon Bieber <sbieber@...uvera.de>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] secuvera-SA-2017-03: Reflected Cross-Site-Scripting
 Vulnerabilities in OCS Inventory NG ocsreports Web application

Affected Products
   OCSInventory-ocsreports 2.4
   (older releases have not been tested) 
References
   https://www.secuvera.de/advisories/secuvera-SA-2017-03.txt (used for updates)
   https://www.ocsinventory-ng.org/en/ocs-inventory-server-2-4-1-has-been-released/ (Release announcement of OCS Inventory 2.4.1)

Summary:
   Open Computer and Software Inventory Next Generation (OCS inventory NG) is free software that enables users to inventory IT assets. (Source: Wikipedia)
   OCS Reports for OCS Inventory is a web application to manage the OCS Inventory Server and Clients. 
   The web application is prone to reflected Cross-Site-Scripting (XSS) attacks.

Effect:
   An attacker is able to execute arbitrary (javascript) code within a victims' browser by luring a victim to click on a link containing malicious code 
   

Vulnerable Scripts:
   1) anonymous: USERID and Password field of login page are vulnerable
   2) logged in user: index.php: arbitrary supplied URL parameters will get included within a javascript block. 
   3) logged in user: index.php: parameter "prov" will get included within a hidden page form field
   
Examples:
   1) Enter the following payload into login form: " onload="alert(42);
   2) http://<ip>/index.php?function=visu_search&prov=allsoft&value=somesoftware%&rk28e'-alert(1)-'js9gz=1
   3) http://<ip>/index.php?function=visu_search&prov=allsoftfrsk4'accesskey%3d'x'onclick%3d'alert(1)'%2f%2fqqy1d&value=<name_of_software>

Solution:
   Install OCS Inventory Release 2.4.1 or newer. 
   
Disclosure Timeline:
   2017/12/15 vendor contacted, asked for security contact information
   2018/01/02 contacted vendor again after no answer was received so far
   2018/01/02 response of responsible contact 
   2018/01/22 Sent technical details
   2018/02/12 Developer replied proposing fix
   2018/03/28 Developer contacted us to announce the upcoming release
   2018/04/05 OCS Version 2.4.1 with fix was released
   2018/08/10 Release of the security advisory
   
Credits
   Simon Bieber, secuvera GmbH
   sbieber@...uvera.de
   https://www.secuvera.de
	
Thanks to:
   Michael Hermann, secuvera GmbH 
   for his support!
   Gilles Dubois and Damien Belliard, factorfx
   for fixing this issue!
	
Disclaimer:
   All information is provided without warranty. The intent is to provide informa-
   tion to secure infrastructure and/or systems, not to be able to attack or damage.
   Therefore secuvera shall not be liable for any direct or indirect damages that 
   might be caused by using this information.


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ