Zenoss Open Source monitoring System - Open Redirect & Stored XSS Vulnerabilities

[Dolev Farhi <dolevf87 () gmail com>]

hi,

Several security issues were found in Zenoss monitoring system.


1.  Stored XSS.
A persistent XSS vulnerability was found in Zenoss core, by creating a
malicious host with the Title <script>alert("Xss")</script> any user
browsing
to the relevant manufacturers page will get a client-side script executed
immediately.

Proof of concept:
1. Create a device with with the Title <script>alert("XSS")</script>
 2. Navigate to the  Infrastructure -> Manufacturers page.
 3. pick the name of the manufacturer of the device, e.g. Intel
 4. select the type of the hardware the device is assigned to, e.g.
GenuineIntel_ Intel(R) Core(TM) i7-2640M CPU _ 2.80GHz
 5. the XSS Executes.
    <tr class="even">
      <td class="tablevalues"><a
href='/zport/dmd/Devices/Server/Linux/devices/localhost/devicedetail'><script>alert("xss")</script></a></td>
      <td class="tablevalues">GenuineIntel_        Intel(R) Core(TM)
i7-2640M CPU _ 2.80GHz</td>
    </tr>



2. Open Redirect vulnerability.
an open redirect is possible via http://zenoss
-url.com/:8080/zport/acl_users/cookieAuthHelper/login_form?came_from=[
http://malicious-website.com ]  allowing an
attacker to redirect a user to a malicious website.



Can CVE numbers please be assigned to these?

Tx.



-- 
additional proof of concept vid.
https://www.youtube.com/watch?v=wtmdsz24evo&feature=youtu.be