Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

Prevent JavaScript injection in Operations Manager 2016 web console


View products that this article applies to.

Problem description

Missing input validation and output encoding allows JavaScript injection, leading to Reflected Cross Site Scripting (XSS).

Reflected Cross Site Scripting may be used to inject arbitrary JavaScript to the Microsoft System Center 2016 authenticated page. One may intercept the below GET request and modify the SpaceID to inject arbitrary strings into the left navigation pane of the web console.

GET/OperationsManager/InternalPages/NavigationTree.aspx?SpaceId=1002&ViewId=Favorites_Overview HTTP/1.1

Here is an example of an arbitrary string:
abc%3E%3C","00000000-0000-0000-0000-000000000000");alert(1);//%3E

A malicious JavaScript, once injected, can modify the current behavior of the page and deliver: trojans, force malicious redirections, content spoofing, keyloggers, content leakage, VIEWSTATE and validators’ tokens leakage (defeating anti-CSRF controls), etc.

↑ Back to the top


The attack constitutes of the following steps

  1. An attacker crafts a specific authenticated GET request of System Center with XSS payload and either tricks the victim to access the special URL or tricks the user to access a phishing scam that triggers the specific request.
  2. The authenticated victim loads/reloads the homepage.

Note: The attack is applicable to any viewID value and every request with SpaceID query string parameter.


↑ Back to the top


Test case

Expected result: Invalid SpaceID error or empty pane and no execution of random JavaScript
Outcome: Arbitrary JavaScript executed.

↑ Back to the top


Resolution

Implement strict input validation. Only integers are accepted as SpaceID, so the data type check against the input is sufficient to remediate the vulnerability.

We have added a check to ensure that the SpaceID is a supported value only (1001 and 1002), else the data in the tree is empty.

↑ Back to the top


References

See the security guidance advisory on CVE-2020-1331.

↑ Back to the top


Security classification

Reflected Cross Site Scripting, Content Spoofing

↑ Back to the top


Keywords: CI119577, kbHotfixAuto

↑ Back to the top

Article Info
Article ID : 4566040
Revision : 5
Created on : 6/9/2020
Published on : 6/9/2020
Exists online : False
Views : 292