Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 371302 (CVE-2011-2179) - <net-analyzer/nagios-3.3.1: Cross-site Scripting Vulnerability (CVE-2011-2179)
Summary: <net-analyzer/nagios-3.3.1: Cross-site Scripting Vulnerability (CVE-2011-2179)
Status: RESOLVED FIXED
Alias: CVE-2011-2179
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: http://tracker.nagios.org/view.php?id...
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks: CVE-2011-1523
  Show dependency tree
 
Reported: 2011-06-12 19:59 UTC by Tim Sammut (RETIRED)
Modified: 2011-08-28 02:12 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tim Sammut (RETIRED) gentoo-dev 2011-06-12 19:59:15 UTC
From the upstream bug at $URL:

==========================
Vulnerability Description:
==========================

This is a Cross-Site Scripting vulnerability

==================
Technical Details:
==================

No input validation for "expand" in config.c(gi)

View Config -> Command Expansion -> To expand -> <script>alert(String.fromCharCode(88,83,83))</script>
View Config -> Command Expansion -> To expand -> <body onload=alert(666)>

or

http://www.example.com/nagios/cgi-bin/config.cgi?type=command&expand=<script>alert(String.fromCharCode(88,83,83))</script> [^]
http://www.example.com/nagios/cgi-bin/config.cgi?type=command&expand=<body [^] onload=alert(666)>
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2011-06-24 00:07:01 UTC
CVE-2011-2179 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2179):
  Multiple cross-site scripting (XSS) vulnerabilities in config.c in
  config.cgi in (1) Nagios 3.2.3 and (2) Icinga before 1.4.1 allow remote
  attackers to inject arbitrary web script or HTML via the expand parameter,
  as demonstrated by an (a) command action or a (b) hosts action.
Comment 2 Tobias Scherbaum (RETIRED) gentoo-dev 2011-08-13 15:23:02 UTC
Should be fixed in 3.3.1
Comment 3 Tim Sammut (RETIRED) gentoo-dev 2011-08-18 04:45:13 UTC
(In reply to comment #2)
> Should be fixed in 3.3.1

I believe so; from the 3.3.1 changelog:

* Fixed XSS vulnerability in config.cgi and statusmap.cgi (Stefan Schurtz)

Arches, please test and mark stable:
=net-analyzer/nagios-3.3.1
Target keywords : "alpha amd64 ppc ppc64 sparc x86"
Comment 4 Agostino Sarubbo gentoo-dev 2011-08-18 09:42:48 UTC
tested also net-analyzer/nagios-core-3.3.1

both ok on amd64
Comment 5 Tony Vroon (RETIRED) gentoo-dev 2011-08-18 10:22:44 UTC
+  18 Aug 2011; Tony Vroon <chainsaw@gentoo.org> nagios-core-3.3.1.ebuild:
+  Marked stable on AMD64 as a dependency of net-analyzer/nagios-3.3.1 as per
+  arch testing by Agostino "ago" Sarubbo in security bug #371302.

+  18 Aug 2011; Tony Vroon <chainsaw@gentoo.org> nagios-3.3.1.ebuild:
+  Marked stable on AMD64 as per arch testing by Agostino "ago" Sarubbo in
+  security bug #371302 filed by Tim Sammut.
Comment 6 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-08-18 15:50:52 UTC
ppc/ppc64 stable
Comment 7 Thomas Kahle (RETIRED) gentoo-dev 2011-08-19 16:21:03 UTC
x86 stable. Thanks
Comment 8 Raúl Porcel (RETIRED) gentoo-dev 2011-08-27 17:38:54 UTC
alpha/sparc stable
Comment 9 Tim Sammut (RETIRED) gentoo-dev 2011-08-28 02:12:46 UTC
Thanks, folks. Closing noglsa for XSS.