Nagios XI 5.5.10 xiwindow Cross-Site Scripting (XSS)

Summary

A cross-site scripting (XSS) vulnerability in Nagios XI before 5.5.11 allows attackers to inject arbitrary web script or HTML via the xiwindow parameter.

Product description (from vendor)

“[Nagios XI] Provides monitoring of all mission-critical infrastructure components including applications, services, operating systems, network protocols, systems metrics, and network infrastructure. Hundreds of third-party addons provide for monitoring of virtually all in-house applications, services, and systems”. For more information visit https://www.nagios.com/products/nagios-xi/.

CVE(s)

Details

Root cause analysis

The Nagios XI page about/index.php (and others) allows to define which page to display in an iframe element through the xiwindow HTTP parameter:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
<?php
    [...]
--> $xiwindow = grab_request_var("xiwindow", "");
    if ($xiwindow != "") {
        $rawurl = urldecode($xiwindow);
    }

    [...]

    $a = parse_url($rawurl);
    if (isset($a["host"])) {
        [...]
    } else {
-->     $windowurl = $a["path"] . "?";
    }

    [...]

    return encode_form_valq($windowurl);

It is possible to execute arbitrary JavaScript code through a malicious xiwindow.

Proof of concept

  1. Navigate to the endpoint http://nagiosxi.local/nagiosxi/about/index.php?xiwindow=a:javascript:alert(document.cookie)//
  2. Notice the JavaScript code is run in the Nagios XI’s domain context.

Impact

An unauthenticated attacker might be able to gain access to the victim’s Nagios XI session by making them visit a malicious URL which triggers the XSS vulnerability.

Remediation

Upgrade to Nagios XI 5.5.11 or later. (Note: we didn’t verify the patch.)

Disclosure timeline

This report was subject to Shielder’s disclosure policy:

  • 20/02/2019:
    • Vulnerability report is sent to vendor
    • Vendor acknowledges issue and begins triage process
  • 28/02/2019: Vendor releases Nagios XI 5.5.11
  • 10/04/2019: Shielder’s advisory is made public

Credits

`polict` of Shielder

Date

10 April 2019