Bugzilla – Bug 682966
VUL-0: Nagios: XSS in the network status map CGI script
Last modified: 2011-08-22 09:21:46 UTC
Your friendly security team received the following report via oss-security. Please respond ASAP. The issue is public. ------------------------------------------------------------------------------ Date: Fri, 25 Mar 2011 18:06:33 +0100 From: Jan Lieskovsky <jlieskov@redhat.com> Subject: [oss-security] CVE Request -- Nagios -- XSS in the network status map CGI script Hello Steve, vendors, Cross-site scripting (XSS) vulnerability in Nagios allows remote attackers to inject arbitrary web script or HTML via specially-crafted 'layer' parameter passed to the Nagios network status map CGI script (statusmap.cgi). References: [1] http://tracker.nagios.org/view.php?id=207 [2] http://www.rul3z.de/advisories/SSCHADV2011-002.txt [3] http://secunia.com/advisories/43287/ [4] https://bugzilla.redhat.com/show_bug.cgi?id=690877 Public PoC (from [2): ===================== http://site/nagios/cgi-bin/statusmap.cgi?layer=' onmouseover="alert('XSS')" ' This doesn't seem to have a CVE id yet, so could you allocate one? Thanks && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
CVE-2011-1523
The SWAMPID for this issue is 39922. This issue was rated as moderate. Please submit fixed packages until 2011-04-18. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
ping
http://nagios.svn.sourceforge.net/viewvc/nagios?view=revision&revision=1741
http://nagios.svn.sourceforge.net/viewvc/nagios/nagioscore/trunk/cgi/config.c?view=patch&r1=1741&r2=1740&pathrev=1741 http://nagios.svn.sourceforge.net/viewvc/nagios/nagioscore/trunk/cgi/statusmap.c?view=patch&r1=1741&r2=1740&pathrev=1741
http://nagios.svn.sourceforge.net/viewvc/nagios/nagioscore/trunk/cgi/config.c?view=patch&r1=1741&r2=1740&pathrev=1741 ^^ not available in nagios 3.2.1 (openSUSE 11.2) => skipped Submitted fixed packages for openSUSE 11.2 and 11.3
This is an autogenerated message for OBS integration: This bug (682966) was mentioned in https://build.opensuse.org/request/show/75067 11.4 / nagios https://build.opensuse.org/request/show/75068 11.3 / nagios
This is an autogenerated message for OBS integration: This bug (682966) was mentioned in https://build.opensuse.org/request/show/75405 11.4 / nagios https://build.opensuse.org/request/show/75406 11.4 / nagios
Submitted packages for 11.3, 11.4 and SLE-11-SP1 => reassigning
This is an autogenerated message for OBS integration: This bug (682966) was mentioned in https://build.opensuse.org/request/show/75429 Factory / nagios
This is an autogenerated message for OBS integration: This bug (682966) was mentioned in https://build.opensuse.org/request/show/75853 Factory / nagios
Update released for: nagios, nagios-debuginfo, nagios-debugsource, nagios-devel, nagios-www Products: SLE-DEBUGINFO 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLE-SDK 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP1 (i386, x86_64)
Update released for: nagios, nagios-debuginfo, nagios-debugsource, nagios-devel, nagios-www Products: openSUSE 11.4 (debug, i586, x86_64)
Update released for: nagios, nagios-debuginfo, nagios-debugsource, nagios-devel, nagios-www Products: openSUSE 11.3 (debug, i586, x86_64)
Update released for: nagios, nagios-debuginfo, nagios-www Products: SLE-SDK 10-SP4 (i386, ia64, ppc, s390x, x86_64) SLE-SERVER 10-SP4 (i386, ia64, ppc, s390x, x86_64)
updates released