OCS Inventory NG ocsreports 2.4 Cross Site Scripting

Affected Products
OCSInventory-ocsreports 2.4
(older releases have not been tested)
References
https://www.secuvera.de/advisories/secuvera-SA-2017-03.txt (used for update Affected Products
OCSInventory-ocsreports 2.4
(older releases have not been tested)
References
https://www.secuvera.de/advisories/secuvera-SA-2017-03.txt (used for updates)
https://www.ocsinventory-ng.org/en/ocs-inventory-server-2-4-1-has-been-released/ (Release announcement of OCS Inventory 2.4.1)

Summary:
Open Computer and Software Inventory Next Generation (OCS inventory NG) is free software that enables users to inventory IT assets. (Source: Wikipedia)
OCS Reports for OCS Inventory is a web application to manage the OCS Inventory Server and Clients.
The web application is prone to reflected Cross-Site-Scripting (XSS) attacks.

Effect:
An attacker is able to execute arbitrary (javascript) code within a victims' browser by luring a victim to click on a link containing malicious code


Vulnerable Scripts:
1) anonymous: USERID and Password field of login page are vulnerable
2) logged in user: index.php: arbitrary supplied URL parameters will get included within a javascript block.
3) logged in user: index.php: parameter "prov" will get included within a hidden page form field

Examples:
1) Enter the following payload into login form: " onload="alert(42);
2) http://<ip>/index.php?function=visu_search&prov=allsoft&value=somesoftware%&rk28e'-alert(1)-'js9gz=1
3) http://<ip>/index.php?function=visu_search&prov=allsoftfrsk4'accesskey%3d'x'onclick%3d'alert(1)'%2f%2fqqy1d&value=<name_of_software>

Solution:
Install OCS Inventory Release 2.4.1 or newer.

Disclosure Timeline:
2017/12/15 vendor contacted, asked for security contact information
2018/01/02 contacted vendor again after no answer was received so far
2018/01/02 response of responsible contact
2018/01/22 Sent technical details
2018/02/12 Developer replied proposing fix
2018/03/28 Developer contacted us to announce the upcoming release
2018/04/05 OCS Version 2.4.1 was released
2018/08/09 Release of the security advisory

Credits
Simon Bieber, secuvera GmbH
sbieber@secuvera.de
https://www.secuvera.de

Thanks to:
Michael Hermann, secuvera GmbH
for his support!
Gilles Dubois and Damien Belliard, factorfx
for fixing this issue!

Disclaimer:
All information is provided without warranty. The intent is to provide informa-
tion to secure infrastructure and/or systems, not to be able to attack or damage.
Therefore secuvera shall not be liable for any direct or indirect damages that
might be caused by using this information.

Leave a comment