SSCHADV2011-001 - Cross-Site Scripting vulnerabilities in Icinga
Advisory: |
Cross-Site Scripting vulnerabilities in Icinga |
Advisory ID: |
SSCHADV2011-001 |
Author: |
Stefan Schurtz |
Affected Software: | Successfully tested on icinga-1.3.0 / icinga-1.2.1 |
Vendor URL: | http://www.icinga.org |
Vendor Status: |
fixed csv export link to make it XSS save (IE) #1275
|
OSVDB-ID: | 71050 |
======================
Vulnerability Description:
======================
This is Cross-Site Scripting vulnerability
==============
Technical Details:
==============
No input validation for "QUERY_STRING"
Problem in "status.c"
http://site/icinga/cgi-bin/status.cgi?’</style></script><script>alert(‘XSS’)</script>
http://site/icinga/cgi-bin/status.cgi?’</style></script><script>alert(‘XSS’)</script><A HREF=‘status.cgi
/* add export to csv link */
if(getenv("QUERY_STRING")!=NULL) { printf("<td valign=bottom width=33%%><div class=‘csv_export_link’><a href=’%s?%s&csvoutput’ target=’_blank’>Export to CSV</a></div></td>n",STATUS_CGI,strdup(getenv("QUERY_STRING")));
} else { printf("<td valign=bottom width=33%%><div class=‘csv_export_link’><a href=’%s?csvoutput’ target=’_blank’>Export to CSV</a></div></td>n",STATUS_CGI);
Problem in "notification.c"
http://site/icinga/cgi-bin/notifications.cgi?’</style></script><script>alert(‘XSS’)</script>
http://site/icinga/cgi-bin/notifications.cgi?’</style></script><script>alert(‘XSS’)</script><A HREF=‘notifications.cgi
/* add export to csv link */
if(getenv("QUERY_STRING")!=NULL) { printf("<td valign=bottom width=33%%><div class=‘csv_export_link’><a href=’%s?%s&csvoutput’ target=’_blank’>Export to CSV</a></div></td>n",STATUS_CGI,strdup(getenv("QUERY_STRING"))); } else { printf("<td valign=bottom width=33%%><div class=‘csv_export_link’><a href=’%s?csvoutput’ target=’_blank’>Export to CSV</a></div></td>n",STATUS_CGI);
=====
Solution:
=====
ID: 90c2209dfc7b8b6a174f46eb5d2a87d1a9789383
https://dev.icinga.org/projects/icinga-core/repository/revisions/90c2209dfc7b8b6a174f46eb5d2a87d1a9789383/diff
fixed csv export link to make it XSS save (IE) #1275
================
Disclosure Timeline:
================
04-Mar-2011 – informed developers
07-Mar-2011 – Bug 1275 – make csv export link XSS save – on "Icinga Development Mailinglist"
07-Mar-2011 – informed DFN-CERT – cert@dfn-cert.de
07-Mar-2011 – Release date of this security advisory
Solution:
=====
ID: 90c2209dfc7b8b6a174f46eb5d2a87d1a9789383
https://dev.icinga.org/projects/icinga-core/repository/revisions/90c2209dfc7b8b6a174f46eb5d2a87d1a9789383/diff
fixed csv export link to make it XSS save (IE) #1275
================
Disclosure Timeline:
================
04-Mar-2011 – informed developers
07-Mar-2011 – Bug 1275 – make csv export link XSS save – on "Icinga Development Mailinglist"
07-Mar-2011 – informed DFN-CERT – cert@dfn-cert.de
07-Mar-2011 – Release date of this security advisory
07-Mar-2011 – developers fixed csv export link to make it XSS save (IE) #1275
08-Mar-2011 – post on BugTraq – http://www.securityfocus.com/archive/1/516917/30/0/threaded
====
Credits:
====
Vulnerability found and advisory written by Stefan Schurtz.
=======
References:
=======
http://www.icinga.org
http://www.rul3z.de/advisories/SSCHADV2011-001.txt
Credits:
====
Vulnerability found and advisory written by Stefan Schurtz.
=======
References:
=======
http://www.icinga.org
http://www.rul3z.de/advisories/SSCHADV2011-001.txt
Comments
Display comments as Linear | Threaded