OCS Inventory NG ocsreports 2.4 Cross Site Scripting

OCS Inventory NG ocsreports version 2.4 suffers from a cross site scripting vulnerability.

MD5 | 67dce20799efa4550a82cd18145be649

Affected Products
OCSInventory-ocsreports 2.4
(older releases have not been tested)
https://www.secuvera.de/advisories/secuvera-SA-2017-03.txt (used for updates)
https://www.ocsinventory-ng.org/en/ocs-inventory-server-2-4-1-has-been-released/ (Release announcement of OCS Inventory 2.4.1)

Open Computer and Software Inventory Next Generation (OCS inventory NG) is free software that enables users to inventory IT assets. (Source: Wikipedia)
OCS Reports for OCS Inventory is a web application to manage the OCS Inventory Server and Clients.
The web application is prone to reflected Cross-Site-Scripting (XSS) attacks.

An attacker is able to execute arbitrary (javascript) code within a victims' browser by luring a victim to click on a link containing malicious code

Vulnerable Scripts:
1) anonymous: USERID and Password field of login page are vulnerable
2) logged in user: index.php: arbitrary supplied URL parameters will get included within a javascript block.
3) logged in user: index.php: parameter "prov" will get included within a hidden page form field

1) Enter the following payload into login form: " onload="alert(42);
2) http://<ip>/index.php?function=visu_search&prov=allsoft&value=somesoftware%&rk28e'-alert(1)-'js9gz=1
3) http://<ip>/index.php?function=visu_search&prov=allsoftfrsk4'accesskey%3d'x'onclick%3d'alert(1)'%2f%2fqqy1d&value=<name_of_software>

Install OCS Inventory Release 2.4.1 or newer.

Disclosure Timeline:
2017/12/15 vendor contacted, asked for security contact information
2018/01/02 contacted vendor again after no answer was received so far
2018/01/02 response of responsible contact
2018/01/22 Sent technical details
2018/02/12 Developer replied proposing fix
2018/03/28 Developer contacted us to announce the upcoming release
2018/04/05 OCS Version 2.4.1 was released
2018/08/09 Release of the security advisory

Simon Bieber, secuvera GmbH
[email protected]

Thanks to:
Michael Hermann, secuvera GmbH
for his support!
Gilles Dubois and Damien Belliard, factorfx
for fixing this issue!

All information is provided without warranty. The intent is to provide informa-
tion to secure infrastructure and/or systems, not to be able to attack or damage.
Therefore secuvera shall not be liable for any direct or indirect damages that
might be caused by using this information.

Related Posts