Full Disclosure mailing list archives
Cross-Site Scripting vulnerability in Nagios
From: "sschurtz () t-online de" <sschurtz () t-online de>
Date: Thu, 10 Mar 2011 18:50:05 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Advisory: Cross-Site Scripting vulnerability in Nagios Advisory ID: SSCHADV2011-002 Author: Stefan Schurtz Affected Software: Successfully tested on: nagios-3.2.0 / nagios-3.2.3 Vendor URL: http://www.nagios.org Vendor Status: 0000207: Cross-Site Scripting vulnerability in Nagios CVE-ID: - ========================== Vulnerability Description: ========================== This is Cross-Site Scripting vulnerability JavaScript can be included in style sheets by using "expression()" (IE only) ================== Technical Details: ================== The function "strip_html_brackets" strip > and < from string but it's not enough to prevent XSS attacks in "statusmap.cgi&layer=" http://site/nagios/cgi-bin/statusmap.cgi?layer=' style=xss:expression(alert('XSS')) ' http://site/nagios/cgi-bin/statusmap.cgi?layer=' onmouseover="alert('XSS')" ' - ----------- cgiutils.c - ----------- /* strip > and < from string */ void strip_html_brackets(char *buffer){ register int x; register int y; register int z; if(buffer==NULL || buffer[0]=='\x0') return; /* remove all occurances in string */ z=(int)strlen(buffer); for(x=0,y=0;x<z;x++){ if(buffer[x]=='<' || buffer[x]=='>') continue; buffer[y++]=buffer[x]; } buffer[y++]='\x0'; return; } - ----------- statusmap.c - ----------- /* we found the layer argument */ else if(!strcmp(variables[x],"layer")){ x++; if(variables[x]==NULL){ error=TRUE; break; } strip_html_brackets(variables[x]); add_layer(variables[x]); } - ----------- Problem in "statusmap.c" - ----------- /* print layer url info */ void print_layer_url(int get_method){ layer *temp_layer; for(temp_layer=layer_list;temp_layer!=NULL;temp_layer=temp_layer->next){ if(get_method==TRUE) printf("&layer=%s",temp_layer->layer_name); <-- no "escape_string" else printf("<input type='hidden' name='layer' value='%s'>\n",escape_string(temp_layer->layer_name)); } ========= Solution: ========= if(get_method==TRUE) /* printf("&layer=%s",temp_layer->layer_name); */ printf("&layer=%s",escape_string(temp_layer->layer_name)); ==================== Disclosure Timeline: ==================== 09-Mar-2011 - informed developers 09-Mar-2011 - post on Nagios Tracker - http://tracker.nagios.org/view.php?id=207 09-Mar-2011 - Release date of this security advisory 10-Mar-2011 - post on BugTraq - http://www.securityfocus.com/archive/1/516934/30/0/threaded ======== Credits: ======== Vulnerability found and advisory written by Stefan Schurtz. =========== References: =========== http://www.nagios.org http://www.rul3z.de/advisories/SSCHADV2011-002.txt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk15D00ACgkQg3svV2LcbMAt8QCfeDeGv7dGK69G2uHUKOyrNk8Y fZgAniwgftEdrgb6fRtAdsIsbLBsaeW/ =4LDe -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Cross-Site Scripting vulnerability in Nagios sschurtz () t-online de (Mar 10)