by Adam Baldwin
A persistent (stored) cross-site scripting vulnerability exists in the Nagios Enterprise 2011R3.2 configuration manager. The username field on the Nagios Core Config Manager login page (http://nagios.example.com/nagiosql/index.php) is not properly encoded when displayed on the config manager log.
No authentication is required to inject the payload into Nagios, however an authenticated user must visit the vulnerable page. Should the nagios server not be public, injection of the payload can also be accomplished using CSRF as the login form has no CSRF validation.
- Attacker visits the login page.
- Attacker drops payload in the username field. Example: <script>alert(1)</script>
- Attacker fails authentication on that page
- Victim logs into nagios and vists the config manager log in the configuration manager
- Attackers payload is executed in the context of the config manager user
Nagios said that this would be addressed in the Nagios XI 3.3 release.