Verder naar navigatie Doorgaan naar hoofdinhoud Ga naar de voettekst

Nagios XI Network Monitor – Stored and Reflective XSS

05 november 2015

door NCC Group Publication Archive

Research Cyber Security Technical advisories

Summary

Name: Nagios XI Network Monitor – Stored and Reflective XSS
Release Date: 30 November 2012
Reference: NGS00195
Discoverer: Daniel Compton 
Vendor: Nagios
Vendor Reference: 0000284
Systems Affected: 2011R1.9
Risk: High
Status: Published

TimeLine

Discovered: 30 January 2012
Released: 31 January 2012
Approved: 31 January 2012
Reported: 31 January 2012
Fixed:  4 June 2012
Published: 30 November 2012

Description

Nagios XI Network Monitor 2011R1.9 – Stored and Reflective Cross Site
Scripting (XSS) within the administrator/monitoring interface. This is a
commertical product for monitoring severs and network monitoring equipment.

I. VULNERABILITY

Nagios XI Network Monitor 2011R1.9 suffers from XSS (reflective and stored)
in several pages and parameters. This is exploitable as an authenticated
user.

II. BACKGROUND

Nagios provide enterprise level network and server monitor software.

http://www.nagios.com/

III. DESCRIPTION

XSS vulnerbilites have been found and confirmed within the software as an
authenticated user. This is the latest version of Nagios XI.

Technical Details

IV. PROOF OF CONCEPT

The following URL’s and parameters have been confirmed to all suffer from
Stored XSS

/nagiosxi/tools/mytools.php (POST parameter: id)
/nagiosql/admin/helpedit.php (POST parameters: hidKey1, tfName)

CODE:

<br>http://192.168.1.121/nagiosxi/tools/mytools.php?nsp=8cf87633a51a8bb933f2ee99940e7937 update=1 id=a92c7'><script>alert(document.cookie)</script>d4a5bb8c0dd name=New+Tool url=x updateButton=Save

 

The follwing URL has been confirmed to suffer from Reflective XSS (many
other URLS potentiall vulnerable listed at bottom).

/nagiosxi/admin/dtoutbound.php (GET parameter: address)

CODE:

/nagiosxi/admin/dtoutbound.php?options=1 nsp=8cf87633a51a8bb933f2ee99940e7937 update=1 outbound_data_filter_mode=exclude outbound_data_host_name_filters=%2F%5Elocalhost%2F%0D%0A%2F%5E127%5C.0%5C.0%5C.1%2F nrdp_target_hosts%5B0%5D%5Baddress%5D=219b7<script>alert(document.cookie)</script>

Potenial/unconfirmed XSS findings:

/nagiosql/admin/cgicfg .php [taNagiosCfg parameter]
/nagiosql/admin /checkcommands.php [hidLimit parameter]
/nagiosql/admin/helpedit.php [hidKey1, hidKey2, hidVersion parameter]
/nagiosql/admin /hostgroups.php [hidLimit parameter]
/nagiosql/admin/hosts.php [hidLimit parameter]
/nagiosql/admin/import .php [txtSearch parameter]
/nagiosql/admin /servicegroups.php [hidLimit parameter]
/nagiosql/admin/services .php [hidLimit, tfName parameter]
/nagiosxi/admin /mobilecarriers.php [description, format, id, parameter]
/nagiosxi/admin/users.php [user_id parameter]
/nagiosxi/admin/users.php [user_id[] parameter]
/nagiosxi/config /monitoringwizard.php
[first_notification_delay,passbackdata, cpu _critical, disk, disk_critical,
disk_warning, memory_critical, memory_warning, current_load, current_users,
HTTP, PING, root_partition, SSH, Swap_usage_ total_processes,servicestate,
uptime,wizard. wizardoutput parameter]
/nagiosxi/includes /components/graphexplorer /visApi.php [div, end, host,
service, start parameter]
/nagiosxi/includes /components/xicore/status .php [host, show parameter]
/nagiosxi/tools/mytools .php [id name parameter]
/nagiosxi/admin/mibs.php [filename multipart parameter attribute]
/nagiosxi/admin /monitoringplugins.php [filename multipart parameter
attribute]

Fix Information

confirmed and resolved by Nagios.

http://tracker.nagios.org/view.php?id=284

fixed in release XI 2011r3.0

http://assets.nagios.com/downloads/nagiosxi/CHANGES-2011.TXT

  • Fixed XSS vulnerabilities reported by user:
    0a29406d9794e4f9b30b3c5d6702c708  -MG
NCC Group Publication Archive

NCC Group Publication Archive