OpenNMS Multiple Vulnerabilities BugSec | Security Advisory Moshe Ben-Abu | Security Expert Advisory URL (PDF): http://www.bugsec.com/up_files/OpenNMS_Multiple_Vulnerabilities.pdf - Table of Contents - OPENNMS MULTIPLE VULNERABILITIES 1 Vendor 3 Application Description 3 OpenNMS HTTP Response Splitting Vulnerability 3 Vulnerability Information 3 Vulnerability Details 3 Proof-of-Concept 4 OpenNMS Cross-Site Scripting Vulnerabilities 5 Vulnerability Information 5 Vulnerability Details 5 Proof-of-Concept 5 Security Analysis 6 Discovery 6 Disclosure Timeline 6 About BugSec LTD. 6 References 6 Vendor OpenNMS Group =E2=80=93 http://www.opennms.com OpenNMS Project =E2=80=93 http://www.opennms.org Application Description =E2=80=9COpenNMS is the world's first enterprise grade network management platform developed under the open source model. It consists of a community supported open-source project as well as a commercial services, training, and support organization. - From OpenNMS Project website. OpenNMS HTTP Response Splitting Vulnerability Vulnerability Information Remotely exploitable: Yes Locally exploitable: No Affected versions: OpenNMS 1.5.93-1 Other versions may also be affected. Vulnerability Details An input validation problem exists within OpenNMS which allows injecting CR (carriage return - %0D or \r) and LF (line feed - %0A or \n) characters into the server HTTP response header, resulting in a HTTP Response Splitting[1] vulnerability. This vulnerability is possible because the application fails to validate user supplied input, returning it un-sanitized within the server HTTP response header back to the client. This vulnerability not only gives attackers control of the remaining headers and body of the server response, but also allows them to create additional responses entirely under their control. Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing an attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, and influence or misrepresent how web content is served, cached, or interpreted. Other attacks are also possible. Proof-of-Concept Header injection http://server/opennms/event/query?%0D%0AInjectedHeader:%20BugSec Server response HTTP/1.1 302 Moved Temporarily Date: Thu, 25 Sep 2008 11:30:05 GMT Server: Apache/2.2.3 Location: http://server/opennms/event/list? InjectedHeader: BugSecContent-Length: 0 Connection: close Content-Type: text/plain; charset=UTF-8 HTTP Response Splitting http://server/opennms/event/query?%0D%0AContent-Length:%200%0D%0A%0D%0AHTTP/1.1%20200%20OK%0D%0AContent-Type:%20text /html%0D%0AContent-Length:%2036%0D%0A%0D%0ABugSecTUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better). Site design & layout copyright © 1986-2024 AOH