secuvera-SA-2017-03: Reflected Cross-Site-Scripting Vulnerabilities- in OCS Inventory NG ocsreports Web application

From: Simon Bieber <sbieber@secuvera.de>
To: bugtraq@securityfocus.com <bugtraq@securityfocus.com>
Cc:
Subject: secuvera-SA-2017-03: Reflected Cross-Site-Scripting Vulnerabilities- in OCS Inventory NG ocsreports Web application
Date:


Affected Products
   OCSInventory-ocsreports 2.4
   (older releases have not been tested) 
References
   https://www.secuvera.de/advisories/secuvera-SA-2017-03.txt (used for updates)
   https://www.ocsinventory-ng.org/en/ocs-inventory-server-2-4-1-has-been-released/ (Release announcement of OCS Inventory 2.4.1)

Summary:
   Open Computer and Software Inventory Next Generation (OCS inventory NG) is free software that enables users to inventory IT assets. (Source: Wikipedia)
   OCS Reports for OCS Inventory is a web application to manage the OCS Inventory Server and Clients. 
   The web application is prone to reflected Cross-Site-Scripting (XSS) attacks.

Effect:
   An attacker is able to execute arbitrary (javascript) code within a victims' browser by luring a victim to click on a link containing malicious code 
   

Vulnerable Scripts:
   1) anonymous: USERID and Password field of login page are vulnerable
   2) logged in user: index.php: arbitrary supplied URL parameters will get included within a javascript block. 
   3) logged in user: index.php: parameter "prov" will get included within a hidden page form field
   
Examples:
   1) Enter the following payload into login form: " onload="alert(42);
   2) http://<ip>/index.php?function=visu_search&prov=allsoft&value=somesoftware%&rk28e'-alert(1)-'js9gz=1
   3) http://<ip>/index.php?function=visu_search&prov=allsoftfrsk4'accesskey%3d'x'onclick%3d'alert(1)'%2f%2fqqy1d&value=<name_of_software>

Solution:
   Install OCS Inventory Release 2.4.1 or newer. 
   
Disclosure Timeline:
   2017/12/15 vendor contacted, asked for security contact information
   2018/01/02 contacted vendor again after no answer was received so far
   2018/01/02 response of responsible contact 
   2018/01/22 Sent technical details
   2018/02/12 Developer replied proposing fix
   2018/03/28 Developer contacted us to announce the upcoming release
   2018/04/05 OCS Version 2.4.1 was released
   2018/08/09 Release of the security advisory
   
Credits
   Simon Bieber, secuvera GmbH
   sbieber@secuvera.de
   https://www.secuvera.de
        
Thanks to:
   Michael Hermann, secuvera GmbH 
   for his support!
   Gilles Dubois and Damien Belliard, factorfx
   for fixing this issue!
    
Disclaimer:
   All information is provided without warranty. The intent is to provide informa-
   tion to secure infrastructure and/or systems, not to be able to attack or damage.
   Therefore secuvera shall not be liable for any direct or indirect damages that 
   might be caused by using this information. 






Copyright © 1995-2018 LinuxRocket.net. All rights reserved.