Nexpose users are urged to update to the lastest version of Nexpose to receive the patch for the described security vulnerability. Note that by default, Nexpose installations update themselves automatically.
A cross-site scripting (XSS) vulnerability has been discovered by Yunus ÇADIRCI and subsequently patched in recent versions of Rapid7's Nexpose vulnerability scanner.
By providing URL-encoded HTML tags (including script tags), an unauthenticated attacker can lure an authenticated (or unauthenticated) victim into disclosing sensitive details regarding the Nexpose session. Nexpose users are urged to update their installation to the latest patches if they are not already on an automated update schedule.
The following proof of concept query is sufficient to exercise the vulnerability:
GET /vulnerability/vuln-summary.jsp?vulnid=-1&nodeid=-1%27%3Cscript%3Ealert(document.location)%3C/script%3E HTTP/1.1 Host: 18.104.22.168:3780
If an authenticated Nexpose user follows this link, she would be presented with a standard alert box displaying the URL location.
Nexpose versions 5.7.19 and prior are affected. Version 5.7.20, released on November 27, 2013, contains the fix, and are not affected by the vulnerability.
Users can mitigate the effects of XSS vulnerabilities by browsing Nexpose consoles in private/incognito browser modes and avoiding websites with untrusted user-generated content while logged in. In addition, site administrators can restrict access to Nexpose consoles to trusted networks with firewall ingress and egress rules in place. Finally, airgapped installations are generally not vulnerable to non-persistent XSS vulnerabilities such as this.
2013-11-22: Private disclosure by Nexpose user @yunuscadirci
2013-11-22: Vulnerability validated by Rapid7 product engineering
2013-11-23: Fix implemented by Rapid7 product engineering
2013-11-27: Update released to address the vulnerability
2013-12-10: Discoverer and Rapid7 coordinate disclosure details
2013-12-11: Public Disclosure
Again, thanks to Yunus for the disclosure -- if you uncover a vulnerability in any of Rapid7's products or assets, we'd appreciate it if you reported it to firstname.lastname@example.org. Our PGP key is Key ID 0x2380F85B8AD4DB8D.