Moshe Ben-Abu has reported some vulnerabilities in OpenNMS, which can be exploited by malicious people to conduct cross-site scripting and HTTP response splitting attacks.

1) Input passed to the "viewName" parameter in surveillanceView.htm and unspecified parameters in asset/modifyAsset, distributedStatusDetails.htm, distributedStatusHistory.htm, event/query, graph/adhoc2.jsp, graph/chooseresource.htm, graph/results.htm, ksc/customView.htm, ksc/formProcMain.htm, notification/browse, notification/list.jsp, outage/list, rtc/category.jsp, statisticsReports/index.htm, and statisticsReports/report.htm is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

2) Input passed in the URL to event/query is not properly sanitised before being returned to the user. This can be exploited to insert arbitrary HTTP headers, which will be included in a response sent to the user, allowing for execution of arbitrary HTML and script code in a user's browser session in context of an affected site.

The vulnerabilities are reported in all versions prior to 1.5.96.

Solution
Fixed in version 1.5.96.

Provided and/or discovered by
Moshe Ben-Abu, BugSec Ltd.

Changelog
Further details available to Secunia VIM customers

Original Advisory
OpenNMS:
http://www.opennms.org/documentation/ReleaseNotesUnStable.html
http://bugzilla.opennms.org/show_bug.cgi?id=2760

BugSec Ltd.:
http://www.bugsec.com/up_files/OpenNMS_Multiple_Vulnerabilities.pdf

Deep Links
Links available to Secunia VIM customers