From the upstream bug at $URL: ========================== Vulnerability Description: ========================== This is a Cross-Site Scripting vulnerability ================== Technical Details: ================== No input validation for "expand" in config.c(gi) View Config -> Command Expansion -> To expand -> <script>alert(String.fromCharCode(88,83,83))</script> View Config -> Command Expansion -> To expand -> <body onload=alert(666)> or http://www.example.com/nagios/cgi-bin/config.cgi?type=command&expand=<script>alert(String.fromCharCode(88,83,83))</script> [^] http://www.example.com/nagios/cgi-bin/config.cgi?type=command&expand=<body [^] onload=alert(666)>
CVE-2011-2179 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2179): Multiple cross-site scripting (XSS) vulnerabilities in config.c in config.cgi in (1) Nagios 3.2.3 and (2) Icinga before 1.4.1 allow remote attackers to inject arbitrary web script or HTML via the expand parameter, as demonstrated by an (a) command action or a (b) hosts action.
Should be fixed in 3.3.1
(In reply to comment #2) > Should be fixed in 3.3.1 I believe so; from the 3.3.1 changelog: * Fixed XSS vulnerability in config.cgi and statusmap.cgi (Stefan Schurtz) Arches, please test and mark stable: =net-analyzer/nagios-3.3.1 Target keywords : "alpha amd64 ppc ppc64 sparc x86"
tested also net-analyzer/nagios-core-3.3.1 both ok on amd64
+ 18 Aug 2011; Tony Vroon <chainsaw@gentoo.org> nagios-core-3.3.1.ebuild: + Marked stable on AMD64 as a dependency of net-analyzer/nagios-3.3.1 as per + arch testing by Agostino "ago" Sarubbo in security bug #371302. + 18 Aug 2011; Tony Vroon <chainsaw@gentoo.org> nagios-3.3.1.ebuild: + Marked stable on AMD64 as per arch testing by Agostino "ago" Sarubbo in + security bug #371302 filed by Tim Sammut.
ppc/ppc64 stable
x86 stable. Thanks
alpha/sparc stable
Thanks, folks. Closing noglsa for XSS.