Nagios Bug and Feature Tracker

All issues moved to NagiosEnterprises Github

Bug and Feature Tracker

Viewing Issue Simple Details Jump to Notes ] View Advanced ] Issue History ] Print ]
ID Category Severity Reproducibility Date Submitted Last Update
0000207 [Nagios Core] Other / Unknown minor always 2011-03-09 05:34 2012-05-23 14:15
Reporter sschurtz View Status public  
Assigned To
Priority normal Resolution fixed  
Status closed   Product Version
Summary 0000207: Cross-Site Scripting vulnerability in Nagios
Description ==========================
Vulnerability Description:
==========================

This is Cross-Site Scripting vulnerability

JavaScript can be included in style sheets by using "expression()" (IE only)

==================
Technical Details:
==================

The function "strip_html_brackets" strip > and < from string but it´s not enough to prevent XSS attacks in "statusmap.cgi&layer="

http://site/nagios/cgi-bin/statusmap.cgi?layer=' [^] style=xss:expression(alert('XSS')) '

http://site/nagios/cgi-bin/statusmap.cgi?layer=' [^] onmouseover="alert('XSS')" '
Additional Information -----------
cgiutils.c
-----------

[schnipp]
.
.
/* strip > and < from string */

void strip_html_brackets(char *buffer){
        register int x;
        register int y;
        register int z;

        if(buffer==NULL || buffer[0]=='\x0')
                return;

        /* remove all occurances in string */
        z=(int)strlen(buffer);
        for(x=0,y=0;x<z;x++){
                if(buffer[x]=='<' || buffer[x]=='>')
                        continue;
                buffer[y++]=buffer[x];
                }
        buffer[y++]='\x0';

        return;
        }
.
.
[schnapp]

-----------
statusmap.c
-----------

[schnipp]
.
.
/* we found the layer argument */
         else if(!strcmp(variables[x],"layer")){
                x++;
                if(variables[x]==NULL){
                      error=TRUE;
                      break;
                }

                strip_html_brackets(variables[x]);
                add_layer(variables[x]);
                }
.
.
[schnapp]

-----------
Problem in "statusmap.c"
-----------

[schnipp]
.
.
/* print layer url info */
void print_layer_url(int get_method){
        layer *temp_layer;

        for(temp_layer=layer_list;temp_layer!=NULL;temp_layer=temp_layer->next){
                if(get_method==TRUE)
                        printf("&layer=%s",temp_layer->layer_name); <-- no "escape_string"
                else
                        printf("<input type='hidden' name='layer' value='%s'>\n",escape_string(temp_layer->layer_name));
                }
.
.
[schnapp]

=========
Solution:
=========

if(get_method==TRUE)
          /* printf("&layer=%s",temp_layer->layer_name); */
          printf("&layer=%s",escape_string(temp_layer->layer_name));
Tags No tags attached.
Nagios Version Successfully tested on: nagios-3.2.0 / nagios-3.2.3
OS Linux
OS Version
Attached Files

- Relationships

-  Notes
(0000297)
ageric (reporter)
2011-05-10 10:05

What's the attack vector on this issue? Does it require a plugin to be run that creates corrupt output, or is it enough to send someone a malicious link?
(0000304)
sschurtz (reporter)
2011-06-01 09:28

hi,

a malicious link is enough..no plugin needed
(0000307)
tonvoon (reporter)
2011-06-13 03:53

Thanks for the report. This is now fixed in commit 1741.
(0000373)
samron (reporter)
2012-02-14 03:04

We found that this was fixed in 3.3.1?

http://nagios.svn.sourceforge.net/viewvc/nagios/nagioscore/trunk/Changelog?view=markup [^]

If this is correct - please close this issue, since this issue is being tracked by some CERT-teams.
(0000440)
mguthrie (reporter)
2012-05-23 14:15

Fixed in 3.3.1

- Issue History
Date Modified Username Field Change
2011-03-09 05:34 sschurtz New Issue
2011-03-09 05:34 sschurtz Nagios Version => Successfully tested on: nagios-3.2.0 / nagios-3.2.3
2011-03-09 05:34 sschurtz OS => Linux
2011-05-10 10:05 ageric Note Added: 0000297
2011-05-11 15:35 cschneemann Issue Monitored: cschneemann
2011-06-01 09:28 sschurtz Note Added: 0000304
2011-06-13 03:53 tonvoon Note Added: 0000307
2012-02-14 03:04 samron Note Added: 0000373
2012-05-23 14:15 mguthrie Note Added: 0000440
2012-05-23 14:15 mguthrie Status new => closed
2012-05-23 14:15 mguthrie Resolution open => fixed


Mantis 1.1.7[^]
Copyright © 2000 - 2008 Mantis Group
Powered by Mantis Bugtracker