Nagios Core 3.2.3 XSS

2011.05.08
Credit: sschurtz
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

========================== Vulnerability Description: ========================== This is Cross-Site Scripting vulnerability JavaScript can be included in style sheets by using "expression()" (IE only) ================== Technical Details: ================== The function "strip_html_brackets" strip > and < from string but its not enough to prevent XSS attacks in "statusmap.cgi&layer=" http://site/nagios/cgi-bin/statusmap.cgi?layer=' [^] style=xss:expression(alert('XSS')) ' http://site/nagios/cgi-bin/statusmap.cgi?layer=' [^] onmouseover="alert('XSS')" ' Additional Information ----------- cgiutils.c ----------- [schnipp] . . /* strip > and < from string */ void strip_html_brackets(char *buffer){ register int x; register int y; register int z; if(buffer==NULL || buffer[0]=='\x0') return; /* remove all occurances in string */ z=(int)strlen(buffer); for(x=0,y=0;x<z;x++){ if(buffer[x]=='<' || buffer[x]=='>') continue; buffer[y++]=buffer[x]; } buffer[y++]='\x0'; return; } . . [schnapp] ----------- statusmap.c ----------- [schnipp] . . /* we found the layer argument */ else if(!strcmp(variables[x],"layer")){ x++; if(variables[x]==NULL){ error=TRUE; break; } strip_html_brackets(variables[x]); add_layer(variables[x]); } . . [schnapp] ----------- Problem in "statusmap.c" ----------- [schnipp] . . /* print layer url info */ void print_layer_url(int get_method){ layer *temp_layer; for(temp_layer=layer_list;temp_layer!=NULL;temp_layer=temp_layer->next){ if(get_method==TRUE) printf("&layer=%s",temp_layer->layer_name); <-- no "escape_string" else printf("<input type='hidden' name='layer' value='%s'>\n",escape_string(temp_layer->layer_name)); } . . [schnapp] ========= Solution: ========= if(get_method==TRUE) /* printf("&layer=%s",temp_layer->layer_name); */ printf("&layer=%s",escape_string(temp_layer->layer_name));

References:

https://bugzilla.redhat.com/show_bug.cgi?id=690877
http://www.rul3z.de/advisories/SSCHADV2011-002.txt
http://tracker.nagios.org/view.php?id=207
http://secunia.com/advisories/43287
http://openwall.com/lists/oss-security/2011/03/28/4
http://openwall.com/lists/oss-security/2011/03/25/3


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top