| Anonymous | Login | Signup for a new account | 2013-05-23 02:43 EDT |
| Main | My View | View Issues | Change Log | Roadmap |
| Viewing Issue Simple Details [ Jump to Notes ] | [ View Advanced ] [ Issue History ] [ Print ] | ||||||
| ID | Category | Severity | Reproducibility | Date Submitted | Last Update | ||
| 0000207 | [Nagios Core] Other / Unknown | minor | always | 2011-03-09 05:34 | 2012-05-23 14:15 | ||
| Reporter | sschurtz | View Status | public | ||||
| Assigned To | |||||||
| Priority | normal | Resolution | fixed | ||||
| Status | closed | Product Version | |||||
| Summary | 0000207: Cross-Site Scripting vulnerability in Nagios | ||||||
| Description |
========================== Vulnerability Description: ========================== This is Cross-Site Scripting vulnerability JavaScript can be included in style sheets by using "expression()" (IE only) ================== Technical Details: ================== The function "strip_html_brackets" strip > and < from string but it´s not enough to prevent XSS attacks in "statusmap.cgi&layer=" http://site/nagios/cgi-bin/statusmap.cgi?layer=' [^] style=xss:expression(alert('XSS')) ' http://site/nagios/cgi-bin/statusmap.cgi?layer=' [^] onmouseover="alert('XSS')" ' |
||||||
| Additional Information |
----------- cgiutils.c ----------- [schnipp] . . /* strip > and < from string */ void strip_html_brackets(char *buffer){ register int x; register int y; register int z; if(buffer==NULL || buffer[0]=='\x0') return; /* remove all occurances in string */ z=(int)strlen(buffer); for(x=0,y=0;x<z;x++){ if(buffer[x]=='<' || buffer[x]=='>') continue; buffer[y++]=buffer[x]; } buffer[y++]='\x0'; return; } . . [schnapp] ----------- statusmap.c ----------- [schnipp] . . /* we found the layer argument */ else if(!strcmp(variables[x],"layer")){ x++; if(variables[x]==NULL){ error=TRUE; break; } strip_html_brackets(variables[x]); add_layer(variables[x]); } . . [schnapp] ----------- Problem in "statusmap.c" ----------- [schnipp] . . /* print layer url info */ void print_layer_url(int get_method){ layer *temp_layer; for(temp_layer=layer_list;temp_layer!=NULL;temp_layer=temp_layer->next){ if(get_method==TRUE) printf("&layer=%s",temp_layer->layer_name); <-- no "escape_string" else printf("<input type='hidden' name='layer' value='%s'>\n",escape_string(temp_layer->layer_name)); } . . [schnapp] ========= Solution: ========= if(get_method==TRUE) /* printf("&layer=%s",temp_layer->layer_name); */ printf("&layer=%s",escape_string(temp_layer->layer_name)); |
||||||
| Tags | No tags attached. | ||||||
| Nagios Version | Successfully tested on: nagios-3.2.0 / nagios-3.2.3 | ||||||
| OS | Linux | ||||||
| OS Version | |||||||
| Attached Files | |||||||
|
|
|||||||
 Relationships |
|
|
Notes |
|
|
(0000297) ageric (administrator) 2011-05-10 10:05 |
What's the attack vector on this issue? Does it require a plugin to be run that creates corrupt output, or is it enough to send someone a malicious link? |
|
(0000304) sschurtz (reporter) 2011-06-01 09:28 |
hi, a malicious link is enough..no plugin needed |
|
(0000307) tonvoon (administrator) 2011-06-13 03:53 |
Thanks for the report. This is now fixed in commit 1741. |
|
(0000373) samron (reporter) 2012-02-14 03:04 |
We found that this was fixed in 3.3.1? http://nagios.svn.sourceforge.net/viewvc/nagios/nagioscore/trunk/Changelog?view=markup [^] If this is correct - please close this issue, since this issue is being tracked by some CERT-teams. |
|
(0000440) mguthrie (administrator) 2012-05-23 14:15 |
Fixed in 3.3.1 |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 2011-03-09 05:34 | sschurtz | New Issue | |
| 2011-03-09 05:34 | sschurtz | Nagios Version | => Successfully tested on: nagios-3.2.0 / nagios-3.2.3 |
| 2011-03-09 05:34 | sschurtz | OS | => Linux |
| 2011-05-10 10:05 | ageric | Note Added: 0000297 | |
| 2011-05-11 15:35 | cschneemann | Issue Monitored: cschneemann | |
| 2011-06-01 09:28 | sschurtz | Note Added: 0000304 | |
| 2011-06-13 03:53 | tonvoon | Note Added: 0000307 | |
| 2012-02-14 03:04 | samron | Note Added: 0000373 | |
| 2012-05-23 14:15 | mguthrie | Note Added: 0000440 | |
| 2012-05-23 14:15 | mguthrie | Status | new => closed |
| 2012-05-23 14:15 | mguthrie | Resolution | open => fixed |
| Mantis 1.1.7[^] Copyright © 2000 - 2008 Mantis Group |  |
