Nagios XI Network Monitor – Stored and Reflective XSS
Summary
Name: Nagios XI Network Monitor – Stored and Reflective XSS
Release Date: 30 November 2012
Reference: NGS00195
Discoverer: Daniel Compton
Vendor: Nagios
Vendor Reference: 0000284
Systems Affected: 2011R1.9
Risk: High
Status: Published
TimeLine
Discovered: 30 January 2012
Released: 31 January 2012
Approved: 31 January 2012
Reported: 31 January 2012
Fixed: 4 June 2012
Published: 30 November 2012
Description
Nagios XI Network Monitor 2011R1.9 – Stored and Reflective Cross Site
Scripting (XSS) within the administrator/monitoring interface. This is a
commertical product for monitoring severs and network monitoring equipment.
I. VULNERABILITY
Nagios XI Network Monitor 2011R1.9 suffers from XSS (reflective and stored)
in several pages and parameters. This is exploitable as an authenticated
user.
II. BACKGROUND
Nagios provide enterprise level network and server monitor software.
III. DESCRIPTION
XSS vulnerbilites have been found and confirmed within the software as an
authenticated user. This is the latest version of Nagios XI.
Technical Details
IV. PROOF OF CONCEPT
The following URL’s and parameters have been confirmed to all suffer from
Stored XSS
/nagiosxi/tools/mytools.php (POST parameter: id)
/nagiosql/admin/helpedit.php (POST parameters: hidKey1, tfName)
CODE:
http://192.168.1.121/nagiosxi/tools/mytools.php?nsp=8cf87633a51a8bb933f2ee99940e7937 update=1 id=a92c7'><script>alert(document.cookie)</script>d4a5bb8c0dd name=New+Tool url=x updateButton=Save
The follwing URL has been confirmed to suffer from Reflective XSS (many
other URLS potentiall vulnerable listed at bottom).
/nagiosxi/admin/dtoutbound.php (GET parameter: address)
CODE:
/nagiosxi/admin/dtoutbound.php?options=1 nsp=8cf87633a51a8bb933f2ee99940e7937 update=1 outbound_data_filter_mode=exclude outbound_data_host_name_filters=%2F%5Elocalhost%2F%0D%0A%2F%5E127%5C.0%5C.0%5C.1%2F nrdp_target_hosts%5B0%5D%5Baddress%5D=219b7<script>alert(document.cookie)</script>
Potenial/unconfirmed XSS findings:
/nagiosql/admin/cgicfg .php [taNagiosCfg parameter]
/nagiosql/admin /checkcommands.php [hidLimit parameter]
/nagiosql/admin/helpedit.php [hidKey1, hidKey2, hidVersion parameter]
/nagiosql/admin /hostgroups.php [hidLimit parameter]
/nagiosql/admin/hosts.php [hidLimit parameter]
/nagiosql/admin/import .php [txtSearch parameter]
/nagiosql/admin /servicegroups.php [hidLimit parameter]
/nagiosql/admin/services .php [hidLimit, tfName parameter]
/nagiosxi/admin /mobilecarriers.php [description, format, id, parameter]
/nagiosxi/admin/users.php [user_id parameter]
/nagiosxi/admin/users.php [user_id[] parameter]
/nagiosxi/config /monitoringwizard.php
[first_notification_delay,passbackdata, cpu _critical, disk, disk_critical,
disk_warning, memory_critical, memory_warning, current_load, current_users,
HTTP, PING, root_partition, SSH, Swap_usage_ total_processes,servicestate,
uptime,wizard. wizardoutput parameter]
/nagiosxi/includes /components/graphexplorer /visApi.php [div, end, host,
service, start parameter]
/nagiosxi/includes /components/xicore/status .php [host, show parameter]
/nagiosxi/tools/mytools .php [id name parameter]
/nagiosxi/admin/mibs.php [filename multipart parameter attribute]
/nagiosxi/admin /monitoringplugins.php [filename multipart parameter
attribute]
Fix Information
confirmed and resolved by Nagios.
http://tracker.nagios.org/view.php?id=284
fixed in release XI 2011r3.0
http://assets.nagios.com/downloads/nagiosxi/CHANGES-2011.TXT
- Fixed XSS vulnerabilities reported by user:
0a29406d9794e4f9b30b3c5d6702c708 -MG