Nagios Enterprise XIWindow Reflected XSS

by Adam Baldwin

Summary

A reflected cross-site scripting vulnerability exists in Nagios Enterprise 2012R1.0 and below.

The xiwindow parameter (http://example.com/nagiosxi/admin/?xiwindow=) is not properly encoded when displayed to the user.

A user must be authenticated for injection to take place

Example exploit payload

http://192.168.0.77/nagiosxi/admin/?xiwindow=http://%22%20onerror=%22alert%281%29;//

You can also replace the xiwindow parameter with any content you would like to frame within the nagios admin console (for example a fake config manager login page?)

We recieved no word back from Nagios on our report, however based on past experience it should be addressed in the next release.