Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:25878
HistoryMar 09, 2011 - 12:00 a.m.

Cross-Site Scripting vulnerabilities in Icinga

2011-03-0900:00:00
vulners.com
10
JSON

Advisory: Cross-Site Scripting vulnerabilities in Icinga
Advisory ID: SSCHADV2011-001
Author: Stefan Schurtz
Affected Software: Successfully tested on: icinga-1.3.0 / icinga-1.2.1
Vendor URL: http://www.icinga.org
Vendor Status: fixed csv export link to make it XSS save (IE) #1275
CVE-ID: -

==========================
Vulnerability Description:

This is Cross-Site Scripting vulnerability

==================
Technical Details:

No input validation for "QUERY_STRING"

Problem in "status.c"

http://site/icinga/cgi-bin/status.cgi?'</style></script><script>alert('XSS')</script>
http://site/icinga/cgi-bin/status.cgi?'</style></script><script>alert('XSS')</script><A
HREF='status.cgi

/* add export to csv link */

if(getenv("QUERY_STRING")!=NULL) {
printf("<td valign=bottom width=33%%><div class='csv_export_link'><a
href='%s?%s&csvoutput' target='_blank'>Export to
CSV</a></div></td>n",STATUS_CGI,strdup(getenv("QUERY_STRING")));
} else {
printf("<td valign=bottom width=33%%><div class='csv_export_link'><a
href='%s?csvoutput' target='_blank'>Export to CSV</a></div></td>n",STATUS_CGI);

Problem in "notification.c"

http://site/icinga/cgi-bin/notifications.cgi?&#39;&lt;/style&gt;&lt;/script&gt;&lt;script&gt;alert&#40;&#39;XSS&#39;&#41;&lt;/script&gt;
http://site/icinga/cgi-bin/notifications.cgi?&#39;&lt;/style&gt;&lt;/script&gt;&lt;script&gt;alert&#40;&#39;XSS&#39;&#41;&lt;/script&gt;&lt;A
HREF='notifications.cgi

if(getenv("QUERY_STRING")!=NULL) {
printf("<TR><TD colspan='7'><DIV class='csv_export_link'><A
HREF='%s?%s&csvoutput' target='_blank'>Export to
CSV</A></DIV></TD></TR>n",NOTIFICATIONS_CGI,strdup(getenv("QUERY_STRING")));
} else {
printf("<TR><TD colspan='7'><DIV class='csv_export_link'><A
HREF='%s?csvoutput' target='_blank'>Export to
CSV</A></DIV></TD></TR>n",NOTIFICATIONS_CGI);
}

=========
Solution:

ID: 90c2209dfc7b8b6a174f46eb5d2a87d1a9789383

https://dev.icinga.org/projects/icinga-core/repository/revisions/90c2209dfc7b8b6a174f46eb5d2a87d1a9789383/diff

fixed csv export link to make it XSS save (IE) #1275

====================
Disclosure Timeline:

04-Mar-2011 - informed developers
07-Mar-2011 - Bug 1275 - make csv export link XSS save - on "Icinga Development
Mailinglist"
07-Mar-2011 - informed DFN-CERT - [email protected]
07-Mar-2011 - Release date of this security advisory
07-Mar-2011 - developers fixed csv export link to make it XSS save (IE) #1275

========
Credits:

Vulnerability found and advisory written by Stefan Schurtz.

===========
References:

http://www.icinga.org
http://www.rul3z.de/advisories/SSCHADV2011-001.txt

JSON