Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:25905
HistoryMar 11, 2011 - 12:00 a.m.

Re: Cross-Site Scripting vulnerability in Nagios

2011-03-1100:00:00
vulners.com
15

/* strip > and < from string */

void strip_html_brackets(char *buffer){
register int x;
register int y;
register int z;

    if&#40;buffer==NULL || buffer[0]==&#39;&#92;x0&#39;&#41;
            return;

    /* remove all occurances in string */
    z=&#40;int&#41;strlen&#40;buffer&#41;;
    for&#40;x=0,y=0;x&lt;z;x++&#41;{
            if&#40;buffer[x]==&#39;&lt;&#39; || buffer[x]==&#39;&gt;&#39;&#41;
                    continue;
            buffer[y++]=buffer[x];
            }
    buffer[y++]=&#39;&#92;x0&#39;;

    return;
    }

statusmap.c

/* we found the layer argument */
else if(!strcmp(variables[x],"layer")){
x++;
if(variables[x]==NULL){
error=TRUE;
break;
}

            strip_html_brackets&#40;variables[x]&#41;;
            add_layer&#40;variables[x]&#41;;
            }

Problem in "statusmap.c"

/* print layer url info */
void print_layer_url(int get_method){
layer *temp_layer;

    for&#40;temp_layer=layer_list;temp_layer!=NULL;temp_layer=temp_layer-&gt;next&#41;{
            if&#40;get_method==TRUE&#41;
                    printf&#40;&quot;&amp;layer=&#37;s&quot;,temp_layer-&gt;layer_name&#41;; &lt;-- no &quot;escape_string&quot;
            else
                    printf&#40;&quot;&lt;input type=&#39;hidden&#39; name=&#39;layer&#39; value=&#39;&#37;s&#39;&gt;&#92;n&quot;,escape_string&#40;temp_layer-&gt;layer_name&#41;&#41;;
            }

=========
Solution:

if(get_method==TRUE)
/* printf("&layer=%s",temp_layer->layer_name); */
printf("&layer=%s",escape_string(temp_layer->layer_name));

====================
Disclosure Timeline:

09-Mar-2011 - informed developers
09-Mar-2011 - post on Nagios Tracker - http://tracker.nagios.org/view.php?id=207
09-Mar-2011 - Release date of this security advisory
10-Mar-2011 - post on BugTraq - http://www.securityfocus.com/archive/1/516934/30/0/threaded

========
Credits:

Vulnerability found and advisory written by Stefan Schurtz.

===========
References:

http://www.nagios.org
http://www.rul3z.de/advisories/SSCHADV2011-002.txt