oss-sec mailing list archives

CVE Request -- Nagios -- XSS in the network status map CGI script

From: Jan Lieskovsky <jlieskov () redhat com>
Date: Fri, 25 Mar 2011 18:06:33 +0100


Hello Steve, vendors,

  Cross-site scripting (XSS) vulnerability in Nagios allows remote
attackers to inject arbitrary web script or HTML via specially-crafted
'layer' parameter passed to the Nagios network status map CGI script
(statusmap.cgi).

References:
[1] http://tracker.nagios.org/view.php?id=207
[2] http://www.rul3z.de/advisories/SSCHADV2011-002.txt
[3] http://secunia.com/advisories/43287/
[4] https://bugzilla.redhat.com/show_bug.cgi?id=690877

Public PoC (from [2):
=====================
http://site/nagios/cgi-bin/statusmap.cgi?layer=&apos; onmouseover="alert('XSS')" '

This doesn't seem to have a CVE id yet, so could you allocate one?

Thanks && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Current thread:

CVE Request -- Nagios -- XSS in the network status map CGI script Jan Lieskovsky (Mar 25)
- Re: CVE Request -- Nagios -- XSS in the network status map CGI script Steven M. Christey (Mar 28)