BugTraq
secuvera-SA-2017-03: Reflected Cross-Site-Scripting Vulnerabilities in OCS Inventory NG ocsreports Web application Apr 09 2018 02:57PM
Simon Bieber (sbieber secuvera de)
Affected Products

OCSInventory-ocsreports 2.4

(older releases have not been tested)

References

https://www.secuvera.de/advisories/secuvera-SA-2017-03.txt (used for updates)

https://www.ocsinventory-ng.org/en/ocs-inventory-server-2-4-1-has-been-r
eleased/ (Release announcement of OCS Inventory 2.4.1)

Summary:

Open Computer and Software Inventory Next Generation (OCS inventory NG) is free software that enables users to inventory IT assets. (Source: Wikipedia)

OCS Reports for OCS Inventory is a web application to manage the OCS Inventory Server and Clients.

The web application is prone to reflected Cross-Site-Scripting (XSS) attacks.

Effect:

An attacker is able to execute arbitrary (javascript) code within a victims' browser by luring a victim to click on a link containing malicious code

Vulnerable Scripts:

1) anonymous: USERID and Password field of login page are vulnerable

2) logged in user: index.php: arbitrary supplied URL parameters will get included within a javascript block.

3) logged in user: index.php: parameter "prov" will get included within a hidden page form field

Examples:

1) Enter the following payload into login form: " onload="alert(42);

2) http://<ip>/index.php?function=visu_search&prov=allsoft&value=somesoftwa
re%&rk28e'-alert(1)-'js9gz=1

3) http://<ip>/index.php?function=visu_search&prov=allsoftfrsk4'accesskey%3
d'x'onclick%3d'alert(1)'%2f%2fqqy1d&value=<name_of_software>

Solution:

Install OCS Inventory Release 2.4.1 or newer.

Disclosure Timeline:

2017/12/15 vendor contacted, asked for security contact information

2018/01/02 contacted vendor again after no answer was received so far

2018/01/02 response of responsible contact

2018/01/22 Sent technical details

2018/02/12 Developer replied proposing fix

2018/03/28 Developer contacted us to announce the upcoming release

2018/04/05 OCS Version 2.4.1 was released

2018/08/09 Release of the security advisory

Credits

Simon Bieber, secuvera GmbH

sbieber (at) secuvera (dot) de [email concealed]

https://www.secuvera.de

Thanks to:

Michael Hermann, secuvera GmbH

for his support!

Gilles Dubois and Damien Belliard, factorfx

for fixing this issue!

Disclaimer:

All information is provided without warranty. The intent is to provide informa-

tion to secure infrastructure and/or systems, not to be able to attack or damage.

Therefore secuvera shall not be liable for any direct or indirect damages that

might be caused by using this information.

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus