CVE 2020–11749

AppleBois
3 min readApr 16, 2020

--

Multiple XSS on PandoraFMS 7.0 NG ≤ 746

PoC : https://packetstormsecurity.com/files/158389/Pandora-FMS-7.0-NG-746-Script-Insertion-Code-Execution.html

We all know XSS is dangerous, especially authenticated user can run ‘arbitrary’ command to reach RCE.
On April I’ve sent an email to PandoraFMS but i did not received any confirmation from PandoraFMS regarding the Multiple XSS

Reflect XSS on SNMP Browser
I did not verify properly but i assume it’s fixed on PandoraFMS 7.0NG 746
1 . /etc/snmp/snmpd.conf
http://IP/pandora_console/index.php?sec=snmpconsole&sec2=operation/snmpconsole/snmp_browser

If you want snmpd.conf download >> snmpd.conf

Attacker’s snmpd.conf
Attacker’s IP
SNMP Browser’s Reflect XSS

Reflect XSS
2. Discovery > Host & Devices > Network Scan
http://IP/pandora_console/index.php?sec=godmode/servers/discovery&wiz=hd&sec2=godmode/servers/discovery&wiz=hd&mode=netscan

Vulnerable input tab

Click next, and it will trigger XSS

Triggered XSS

Stored XSS
3. Visual Styles
http://IP/pandora_console/index.php?sec=general&sec2=godmode/setup/setup&section=vis

Custom value post processing ‘text’ input
Module units ‘Value’ input tab
By revisiting the same page, will trigger XSS

4. Profiles > Modules Tags > Create Tag

http://192.168.11.180/pandora_console/index.php?sec=gusuarios&sec2=godmode/tag/tag

Email input tab is vulnerable
Trigger XSS

5.Stored XSS occur in ‘system logfiles’
http://192.168.11.180/pandora_console/index.php?sec=godmode/extensions&sec2=extensions/pandora_logs

We go to general setup to input malicious input
http://IP/pandora_console/index.php?sec=general&sec2=godmode/setup/setup&section=general

Server log directory

After button ‘update’ has clicked, navigate to ‘system logfiles’

Stored XSS in System logfile

6. Stored XSS on Manage agent group
Profiles > Manage agent groups
http://IP/pandora_console/index.php?sec=gusuarios&sec2=godmode/groups/group_list

To trigger the XSS
MOVE CURSOR POINTING TO ICON

7.Stored XSS on Network Map
http://IP/pandora_console/index.php?sec=gservers&sec2=godmode/servers/discovery&wiz=hd&mode=customnetscan

Click Finished
Now, to trigger the XSS navigate to

http://IP/pandora_console/index.php?sec=network&sec2=operation/agentes/pandora_networkmap and click Create Network Map

8.Stored XSS on View Events
Event > View Event
http://IP/pandora_console/index.php?sec=eventos&sec2=operation/events/events

We see different Event name

At the Event Name, click any one of it and navigate to comments area

Add comment
Triggered

When you clicked back the same event to view details, XSS will be trigger too.

Stored XSS

9.Stored XSS on List of special day Stored
Alert > List of Special days
http://IP/pandora_console/index.php?sec=galertas&sec2=godmode/alerts/alert_special_days

Select any date and configure on that date
and click ‘Create’

To Trigger XSS, move your cursor to ‘exclamation mark icon’.

Trigger STORED XSS

--

--

AppleBois