========================== Vulnerability Description: ========================== This is Cross-Site Scripting vulnerability JavaScript can be included in style sheets by using "expression()" (IE only) ================== Technical Details: ================== The function "strip_html_brackets" strip > and < from string but its not enough to prevent XSS attacks in "statusmap.cgi&layer=" http://site/nagios/cgi-bin/statusmap.cgi?layer=' [^] style=xss:expression(alert('XSS')) ' http://site/nagios/cgi-bin/statusmap.cgi?layer=' [^] onmouseover="alert('XSS')" ' Additional Information ----------- cgiutils.c ----------- [schnipp] . . /* strip > and < from string */ void strip_html_brackets(char *buffer){ register int x; register int y; register int z; if(buffer==NULL || buffer[0]=='\x0') return; /* remove all occurances in string */ z=(int)strlen(buffer); for(x=0,y=0;x<z;x++){ if(buffer[x]=='<' || buffer[x]=='>') continue; buffer[y++]=buffer[x]; } buffer[y++]='\x0'; return; } . . [schnapp] ----------- statusmap.c ----------- [schnipp] . . /* we found the layer argument */ else if(!strcmp(variables[x],"layer")){ x++; if(variables[x]==NULL){ error=TRUE; break; } strip_html_brackets(variables[x]); add_layer(variables[x]); } . . [schnapp] ----------- Problem in "statusmap.c" ----------- [schnipp] . . /* print layer url info */ void print_layer_url(int get_method){ layer *temp_layer; for(temp_layer=layer_list;temp_layer!=NULL;temp_layer=temp_layer->next){ if(get_method==TRUE) printf("&layer=%s",temp_layer->layer_name); <-- no "escape_string" else printf("<input type='hidden' name='layer' value='%s'>\n",escape_string(temp_layer->layer_name)); } . . [schnapp] ========= Solution: ========= if(get_method==TRUE) /* printf("&layer=%s",temp_layer->layer_name); */ printf("&layer=%s",escape_string(temp_layer->layer_name));