I found available VM machine on the link presented below:
All cases presented below should be exploitable from normal/registered user.
#01 - Report name:
More details you will find in ./components/scheduledreporting/ directory:
As far as I'm concern 3 parameters here are vulnerable to XSS attacks: hour, minute, ampm.
When you will click button to 'schedule' the report you are looking for, then you will have a chance to add persistent XSS code. Example (of h1 ... /h1) below:
It's also easy to store some JavaScript code:
#02 - page vector:
You need to put the XSS code in the field in red table:
More below:
#03 - XSS in 'args' - ajaxhelper.php:
Response similar to the #03 case:
#05 - i[] in ajax_handler.php:
Response:
Now. If you can share your scheduled reports with other users, there is a possibility of RCE attack.
If your XSS/CSRF will add 'new command' (for example:
) you can check the 4444/tcp port (in this case...). In other words, if you can create new command - you can own the Nagios server:
I think we are ready:
... to go:
Checking:
:]
#06 - XSS in title parameter - deploy:
Response:
After all of that there was one more "bug" I found interesting. Admin user was able to read local files. I was wondering if the same functionality is available for 'other users' (in this case - for my registered "normal" user). This is what I've found:
As you can see the screen was created for 'admin' user. I decided to switch to 'tester' user and check if xiwindow parameter will also be available:
Maybe you will find it useful. ;]
In case of any questions you know how to find me.
Cheers!
o/
Brak komentarzy:
Prześlij komentarz