Nagios Bug and Feature Tracker

All issues moved to NagiosEnterprises Github

Bug and Feature Tracker

Viewing Issue Simple Details Jump to Notes ] View Advanced ] Issue History ] Print ]
ID Category Severity Reproducibility Date Submitted Last Update
0000224 [Nagios Core] Other / Unknown minor always 2011-06-01 09:32 2012-09-18 00:16
Reporter sschurtz View Status public  
Assigned To ageric
Priority normal Resolution fixed  
Status closed   Product Version
Summary 0000224: Cross-Site Scripting vulnerability in Nagios
Description Advisory: Cross-Site Scripting vulnerability in Nagios
Advisory ID: SSCHADV2011-006
Author: Stefan Schurtz
Affected Software: Successfully tested on: nagios 3.2.3
Vendor URL: http://www.nagios.org [^]
Vendor Status: informed
CVE-ID: -

==========================
Vulnerability Description:
==========================

This is a Cross-Site Scripting vulnerability

==================
Technical Details:
==================

No input validation for "expand" in config.c(gi)

View Config -> Command Expansion -> To expand -> <script>alert(String.fromCharCode(88,83,83))</script>
View Config -> Command Expansion -> To expand -> <body onload=alert(666)>

or

http://www.example.com/nagios/cgi-bin/config.cgi?type=command&expand=<script>alert(String.fromCharCode(88,83,83))</script> [^]
http://www.example.com/nagios/cgi-bin/config.cgi?type=command&expand=<body [^] onload=alert(666)>

=========
Solution:
=========

in config.c

< printf("<TR CLASS='dataEven'><TD CLASS='dataEven'>To expand:</TD><TD CLASS='dataEven'>%s",command_args[0]);

> printf("<TR CLASS='dataEven'><TD CLASS='dataEven'>To expand:</TD><TD CLASS='dataEven'>%s",escape_string(command_args[0]));

====================
Disclosure Timeline:
====================

01-Jun-2011 - informed developers

========
Credits:
========

Vulnerability found and advisory written by Stefan Schurtz.

===========
References:
===========

http://www.nagios.org [^]
http://www.rul3z.de/advisories/SSCHADV2011-006.txt [^]
Additional Information
Tags No tags attached.
Nagios Version Successfully tested on: nagios-3.2.3
OS Linux
OS Version
Attached Files

- Relationships

-  Notes
(0000305)
dnsmichi (reporter)
2011-06-01 10:58

the proposed fix needs to be enlarged onto complete config.cgi and the get param itsself. see https://dev.icinga.org/issues/1605 [^] for a proposed fixed too, which is tested working on the icinga cgis - which possibly works with nagios cgis then too.
(0000308)
tonvoon (reporter)
2011-06-13 03:53

Thanks for the report. This is now fixed in commit 1741.
(0000592)
ageric (reporter)
2012-09-18 00:16

Fixed a long time ago by Ton, but left lingering in the poor tracker.

- Issue History
Date Modified Username Field Change
2011-06-01 09:32 sschurtz New Issue
2011-06-01 09:32 sschurtz Nagios Version => Successfully tested on: nagios-3.2.3
2011-06-01 09:32 sschurtz OS => Linux
2011-06-01 10:58 dnsmichi Note Added: 0000305
2011-06-13 03:53 tonvoon Note Added: 0000308
2012-09-18 00:15 ageric Status new => assigned
2012-09-18 00:15 ageric Assigned To => ageric
2012-09-18 00:16 ageric Note Added: 0000592
2012-09-18 00:16 ageric Status assigned => closed
2012-09-18 00:16 ageric Resolution open => fixed


Mantis 1.1.7[^]
Copyright © 2000 - 2008 Mantis Group
Powered by Mantis Bugtracker