StoredXSS-LibreNMS-MiscSection

Description:

Stored XSS on the parameter: ajax_form.php -> param: state

Request:

POST /ajax_form.php HTTP/1.1
Host: <your_host>
X-Requested-With: XMLHttpRequest
X-CSRF-TOKEN: <your_XSRF_token>
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cookie: <your_cookie>

type=override-config&device_id=1&attrib=override_icmp_disable&state="><img%20src%20onerror="alert(1)"> 

of Librenms version 24.10.1 (https://github.com/librenms/librenms) allows remote attackers to inject malicious scripts. When a user views or interacts with the page displaying the data, the malicious script executes immediately, leading to potential unauthorized actions or data exposure.

The vulnerability in the line:

$attrib_val = get_dev_attrib($device, $name);

within the dynamic_override_config function arises because the value of $attrib_val is retrieved from untrusted data without any sanitization or encoding (at Line 778).

When dynamic_override_config is called, the unescaped $attrib_val is injected directly into the HTML (at misc.inc.php).

Proof of Concept: 1. Add a new device through the LibreNMS interface. 2. Edit the newly created device and select the Misc section. 3. In any of the following fields: "Override default ssh port", "Override default telnet port", "Override default http port" or "Unix agent port", enter the payload: "><img src onerror="alert(document.cookie)">. 4. Save the changes. 5. Observe that when the page loads, the XSS payload executes, triggering a popup that displays the current cookies.

Impact:

Execution of Malicious Code