As you probably already know from time to time I'm trying to work on small and simple python script - called modus.py[1,2]. It's also fun to run some VM in the background (for example with some webapp - like Bitnami's VM collection [3,4,5]) and start to do a blackbox test to find some cases to future analysis... This time below you will find few results for 'latest' Nagios XI - 5.4.13. Here we go...
I found available VM machine on the link presented below:
All cases presented below should be exploitable from normal/registered user.
#01 - Report name:
More details you will find in ./components/scheduledreporting/ directory:
As far as I'm concern 3 parameters here are vulnerable to XSS attacks: hour, minute, ampm.
When you will click button to 'schedule' the report you are looking for, then you will have a chance to add persistent XSS code. Example (of h1 ... /h1) below:
#02 - page vector:
You need to put the XSS code in the field in red table:
#03 - XSS in 'args' - ajaxhelper.php:
Response similar to the #03 case:
#05 - i in ajax_handler.php:
Now. If you can share your scheduled reports with other users, there is a possibility of RCE attack.
If your XSS/CSRF will add 'new command' (for example:
) you can check the 4444/tcp port (in this case...). In other words, if you can create new command - you can own the Nagios server:
I think we are ready:
... to go:
#06 - XSS in title parameter - deploy:
After all of that there was one more "bug" I found interesting. Admin user was able to read local files. I was wondering if the same functionality is available for 'other users' (in this case - for my registered "normal" user). This is what I've found:
As you can see the screen was created for 'admin' user. I decided to switch to 'tester' user and check if xiwindow parameter will also be available:
Maybe you will find it useful. ;]
In case of any questions you know how to find me.