A SQL Injection vulnerability in Nagios Incident Manager (component of Nagios XI) before 2.2.7 allows authenticated attackers to inject additional SQL statements via the
“Resolve network incidents, collaborate with team members, and track incident history”. For more information visit https://www.nagios.com/products/nagios-incident-manager/.
The Nagios XI API
/nagiosxi/includes/components/nagiosim/nagiosim.php allows interaction with Nagios IM through the file
incident_id is never sanitized nor validated, an attacker can exploit the SQL injection to get hold of the information in the database in use by Nagios XI.
/nagiosxi/includes/components/nagiosim/nagiosim.php?mode=update&token=[your api token]&incident_id=1'union%20select%201,2,3,4,5,6,7,8,'xusing the logged-in session
An authenticated attacker can get hold of the information in the database in use by Nagios XI.
Upgrade to Nagios IM 2.2.7 or later. (Note: we didn’t verify the patch.)
This report was subject to Shielder’s disclosure policy:
`polict` of Shielder
This advisory was first published on https://www.shielder.it/it/advisories/nagiosim-incident_id-sql-injection/
10 April 2019