Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 360537 (CVE-2011-1523) - <net-analyzer/nagios-3.3.1: "layer" Cross-Site Scripting (XSS) Vulnerability (CVE-2011-1523)
Summary: <net-analyzer/nagios-3.3.1: "layer" Cross-Site Scripting (XSS) Vulnerability ...
Status: RESOLVED FIXED
Alias: CVE-2011-1523
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://tracker.nagios.org/view.php?id...
Whiteboard: B4 [noglsa]
Keywords:
Depends on: CVE-2011-2179
Blocks:
  Show dependency tree
 
Reported: 2011-03-26 12:03 UTC by Paweł Hajdan, Jr. (RETIRED)
Modified: 2011-08-28 02:13 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-03-26 12:03:32 UTC 
Stefan Schurtz has discovered a vulnerability in Nagios, which can be exploited by malicious people to conduct cross-site scripting attacks.

Input passed via the "layer" parameter to cgi-bin/statusmap.cgi is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

The vulnerability is confirmed in version 3.2.3. Other versions may also be affected.

http://secunia.com/advisories/43287/
Comment 1 Tim Sammut (RETIRED) gentoo-dev 2011-03-30 04:08:52 UTC 
Looks like the upstream bug may be at http://tracker.nagios.org/view.php?id=207.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2011-06-24 00:24:42 UTC 
CVE-2011-1523 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1523):
  Cross-site scripting (XSS) vulnerability in statusmap.c in statusmap.cgi in
  Nagios 3.2.3 and earlier allows remote attackers to inject arbitrary web
  script or HTML via the layer parameter.
Comment 3 Tobias Scherbaum (RETIRED) gentoo-dev 2011-08-13 15:23:16 UTC 
Should be fixed in 3.3.1
Comment 4 Tim Sammut (RETIRED) gentoo-dev 2011-08-18 04:44:12 UTC 
(In reply to comment #3)
> Should be fixed in 3.3.1

I believe so; from the 3.3.1 changelog:

* Fixed XSS vulnerability in config.cgi and statusmap.cgi (Stefan Schurtz)

We'll work in bug 371302 for stabilization.
Comment 5 Tim Sammut (RETIRED) gentoo-dev 2011-08-28 02:13:19 UTC 
Thanks, folks. Stabilization completed; closing noglsa for XSS.