Bug 682966 - VUL-0: Nagios: XSS in the network status map CGI script
VUL-0: Nagios: XSS in the network status map CGI script
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: General
unspecified
Other Other
: P2 - High : Normal
: ---
Assigned To: Security Team bot
Security Team bot
maint:released:sle11-sp1:42060 maint:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2011-03-28 07:18 UTC by Ludwig Nussel
Modified: 2011-08-22 09:21 UTC (History)
3 users (show)

See Also:
Found By: Other
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ludwig Nussel 2011-03-28 07:18:51 UTC
Your friendly security team received the following report via oss-security.
Please respond ASAP.
The issue is public.

------------------------------------------------------------------------------
Date: Fri, 25 Mar 2011 18:06:33 +0100
From: Jan Lieskovsky <jlieskov@redhat.com>
Subject: [oss-security] CVE Request -- Nagios -- XSS in the network status map CGI script


Hello Steve, vendors,

   Cross-site scripting (XSS) vulnerability in Nagios allows remote
attackers to inject arbitrary web script or HTML via specially-crafted
'layer' parameter passed to the Nagios network status map CGI script
(statusmap.cgi).

References:
[1] http://tracker.nagios.org/view.php?id=207
[2] http://www.rul3z.de/advisories/SSCHADV2011-002.txt
[3] http://secunia.com/advisories/43287/
[4] https://bugzilla.redhat.com/show_bug.cgi?id=690877

Public PoC (from [2):
=====================
http://site/nagios/cgi-bin/statusmap.cgi?layer=' onmouseover="alert('XSS')" '

This doesn't seem to have a CVE id yet, so could you allocate one?

Thanks && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team
Comment 1 Ludwig Nussel 2011-03-29 07:07:08 UTC
CVE-2011-1523
Comment 2 Swamp Workflow Management 2011-04-04 11:57:56 UTC
The SWAMPID for this issue is 39922.
This issue was rated as moderate.
Please submit fixed packages until 2011-04-18.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 3 Thomas Biege 2011-06-06 15:27:07 UTC
ping
Comment 6 Lars Vogdt 2011-07-02 09:53:19 UTC
http://nagios.svn.sourceforge.net/viewvc/nagios/nagioscore/trunk/cgi/config.c?view=patch&r1=1741&r2=1740&pathrev=1741

^^ not available in nagios 3.2.1 (openSUSE 11.2) => skipped

Submitted fixed packages for openSUSE 11.2 and 11.3
Comment 7 Bernhard Wiedemann 2011-07-02 10:00:19 UTC
This is an autogenerated message for OBS integration:
This bug (682966) was mentioned in
https://build.opensuse.org/request/show/75067 11.4 / nagios
https://build.opensuse.org/request/show/75068 11.3 / nagios
Comment 11 Bernhard Wiedemann 2011-07-05 12:00:19 UTC
This is an autogenerated message for OBS integration:
This bug (682966) was mentioned in
https://build.opensuse.org/request/show/75405 11.4 / nagios
https://build.opensuse.org/request/show/75406 11.4 / nagios
Comment 12 Lars Vogdt 2011-07-05 14:56:21 UTC
Submitted packages for 
11.3, 11.4 and SLE-11-SP1
=> reassigning
Comment 14 Bernhard Wiedemann 2011-07-05 16:00:14 UTC
This is an autogenerated message for OBS integration:
This bug (682966) was mentioned in
https://build.opensuse.org/request/show/75429 Factory / nagios
Comment 15 Bernhard Wiedemann 2011-07-08 14:00:56 UTC
This is an autogenerated message for OBS integration:
This bug (682966) was mentioned in
https://build.opensuse.org/request/show/75853 Factory / nagios
Comment 17 Swamp Workflow Management 2011-07-11 12:18:39 UTC
Update released for: nagios, nagios-debuginfo, nagios-debugsource, nagios-devel, nagios-www
Products:
SLE-DEBUGINFO 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-SDK 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP1 (i386, x86_64)
Comment 18 Swamp Workflow Management 2011-07-25 08:59:56 UTC
Update released for: nagios, nagios-debuginfo, nagios-debugsource, nagios-devel, nagios-www
Products:
openSUSE 11.4 (debug, i586, x86_64)
Comment 19 Swamp Workflow Management 2011-07-25 09:00:39 UTC
Update released for: nagios, nagios-debuginfo, nagios-debugsource, nagios-devel, nagios-www
Products:
openSUSE 11.3 (debug, i586, x86_64)
Comment 20 Swamp Workflow Management 2011-07-25 11:11:33 UTC
Update released for: nagios, nagios-debuginfo, nagios-www
Products:
SLE-SDK 10-SP4 (i386, ia64, ppc, s390x, x86_64)
SLE-SERVER 10-SP4 (i386, ia64, ppc, s390x, x86_64)
Comment 25 Matthias Weckbecker 2011-08-22 09:21:46 UTC
updates released