Headline
GHSA-c66p-64fj-jmc2: LibreNMS Misc Section Stored Cross-site Scripting vulnerability
StoredXSS-LibreNMS-MiscSection
Description:
Stored XSS on the parameter: ajax_form.php -> param: state
Request:
POST /ajax_form.php HTTP/1.1
Host: <your_host>
X-Requested-With: XMLHttpRequest
X-CSRF-TOKEN: <your_XSRF_token>
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cookie: <your_cookie>
type=override-config&device_id=1&attrib=override_icmp_disable&state="><img%20src%20onerror="alert(1)">
of Librenms version 24.10.1 (https://github.com/librenms/librenms) allows remote attackers to inject malicious scripts. When a user views or interacts with the page displaying the data, the malicious script executes immediately, leading to potential unauthorized actions or data exposure.
The vulnerability in the line:
$attrib_val = get_dev_attrib($device, $name);
within the dynamic_override_config function arises because the value of $attrib_val is retrieved from untrusted data without any sanitization or encoding (at Line 778).
When dynamic_override_config is called, the unescaped $attrib_val is injected directly into the HTML (at misc.inc.php).
Proof of Concept:
- Add a new device through the LibreNMS interface.
- Edit the newly created device and select the Misc section.
- In any of the following fields: "Override default ssh port", "Override default telnet port", “Override default http port” or "Unix agent port", enter the payload:
"><img src onerror="alert(document.cookie)">. - Save the changes.
- Observe that when the page loads, the XSS payload executes, triggering a popup that displays the current cookies.
Impact:
Execution of Malicious Code
StoredXSS-LibreNMS-MiscSection
Description:
Stored XSS on the parameter: ajax_form.php -> param: state
Request:
POST /ajax_form.php HTTP/1.1 Host: <your_host> X-Requested-With: XMLHttpRequest X-CSRF-TOKEN: <your_XSRF_token> Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Cookie: <your_cookie>
type=override-config&device_id=1&attrib=override_icmp_disable&state="><img%20src%20onerror="alert(1)">
of Librenms version 24.10.1 (https://github.com/librenms/librenms) allows remote attackers to inject malicious scripts. When a user views or interacts with the page displaying the data, the malicious script executes immediately, leading to potential unauthorized actions or data exposure.
The vulnerability in the line:
$attrib_val = get_dev_attrib($device, $name);
within the dynamic_override_config function arises because the value of $attrib_val is retrieved from untrusted data without any sanitization or encoding (at Line 778).
When dynamic_override_config is called, the unescaped $attrib_val is injected directly into the HTML (at misc.inc.php).
Proof of Concept:
- Add a new device through the LibreNMS interface.
- Edit the newly created device and select the Misc section.
- In any of the following fields: "Override default ssh port", "Override default telnet port", “Override default http port” or "Unix agent port", enter the payload: "><img src onerror="alert(document.cookie)">.
- Save the changes.
- Observe that when the page loads, the XSS payload executes, triggering a popup that displays the current cookies.
Impact:
Execution of Malicious Code
References
- GHSA-c66p-64fj-jmc2
- librenms/librenms#16722
- librenms/librenms@26258a2