Bug 1948

Summary: Cross-site scripting (XSS) vulnerabilities in nagios
Product: Mageia Reporter: Stew Benedict <stewbintn>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: davidwhodgins, dmorganec, guillomovitch, remco, stormi-mageia, sysadmin-bugs, tmb
Version: 1Keywords: PATCH, Security, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: nagios-3.2.3-2.mga1.src.rpm CVE:
Status comment:
Attachments: upstream patch
example CVE-2011-2179 exploit URL's from securityfocus

Description Stew Benedict 2011-06-28 13:41:25 CEST 
Description of problem:

Several XSS vulnerabilities with nagios

Version-Release number of selected component (if applicable):
nagios-3.2.3-2.mga1.src.rpm

How reproducible:

N/A

Refs (should be able to get patches from one of the links off these pages):

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1523
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2179

Possible update text:

Several cross-site scripting (XSS) vulnerabilities have been identified in nagios.  Issues with both config.cgi and statusmap.cgi allowed remote attackers to inject arbitrary web script or HTML. These issues have been identified at mitre.org by CVE-2011-1523 and CVE-2011-2179. Updated packages correct these issues.
Comment 1 Stew Benedict 2011-08-28 21:46:39 CEST 
no interest in this, closing

Status: NEW => RESOLVED
Resolution: (none) => OLD

Comment 2 Remco Rijnders 2011-08-29 07:48:55 CEST 
I understand your frustration in the lack of follow up given to reported security problems, but I think closing security bugs which have not been solved is not the right way to go. Let's try to keep those issues on the radar at least.

Keywords: (none) => Security
Status: RESOLVED => REOPENED
CC: (none) => remco
Resolution: OLD => (none)

Comment 3 Stew Benedict 2011-08-29 18:45:26 CEST 
Whose radar are they supposedly on? They've sat a NEW for 2 months. Our release cycle in only 9. If the users and packagers are only interested in new stuff, then lets not pretend we have a support policy and just be a rolling release.
Comment 4 Remco Rijnders 2011-08-29 18:59:51 CEST 
Your radar, our radar. Perhaps it is not given enough priority currently, but that is more a matter of lack of manpower than anything else. Closing unfixed (security) bugs will not make things any better for us or our users though.

Through better triaging (again, as time permits) we can hopefully better identify the security related issues and perhaps even post periodic updates on the subject on the devs list.

We know it's not perfect, far from it even, but let's take steps towards improving the situation, even if they are baby steps.

CC: (none) => guillomovitch

Comment 5 Guillaume Rousse 2011-08-30 10:42:43 CEST 
Created attachment 744 [details]
upstream patch

I had to do the work myself for mandriva 2010.0. Here is the upstream patch fixing the issue.
Manuel Hiebel 2011-08-30 10:53:09 CEST

Keywords: (none) => PATCH

Comment 6 D Morgan 2011-09-06 00:56:00 CEST 
Guillaume will you add the patch or do you want me to do it ?

CC: (none) => dmorganec

Comment 7 Samuel Verschelde 2011-09-13 12:15:24 CEST 
Assigning to Dmorgan as Guillaume replied to his comment 6 on irc :)

Status: REOPENED => ASSIGNED
CC: (none) => stormi
Assignee: bugsquad => dmorganec

Comment 8 Manuel Hiebel 2011-11-01 00:12:17 CET 
Ping ?
Comment 9 Guillaume Rousse 2011-11-01 18:12:47 CET 
Patched release 3.2.3-2.1 available in updates_testing, untested.
Comment 10 Manuel Hiebel 2011-11-01 18:26:42 CET 
Ok thanks.

As we don't really have a 'security team' I assign this bug to the QA.

Assignee: dmorganec => qa-bugs

Comment 11 claire robinson 2011-11-02 11:41:35 CET 
Created attachment 1040 [details]
example CVE-2011-2179 exploit URL's from securityfocus
Comment 12 claire robinson 2011-11-03 11:19:53 CET 
To check this you need to install nagios and nagios-www too to get the web interface.

Disable authentication in /etc/nagios/cgi.cfg or configure it if you dont want to disable it.

Then 'service nagios start'


You can see the web interface at localhost/nagios and using either of the URL's in the attachment will show the problem. The first brings up a box with XSS in it and the second does the same with 666 in it.

Confirmed the problem x86_64 and confirmed fix after update.

Instead of opening the box it shows an error in red

eg. Error:No command "<script>alert(String.fromCharCode(88,83,83))</script>" found


Testing complete x86_64

SRPM: nagios-3.2.3-2.1.mga1.src.rpm
Comment 13 Dave Hodgins 2011-11-04 02:15:18 CET 
Testing complete on i586.  Thanks Claire for the procedure.

Could someone from the sysadmin team push the srpm
nagios-3.2.3-2.1.mga1.src.rpm
from Core Updates Testing to Core Updates

Advisory:
Several cross-site scripting (XSS) vulnerabilities have been identified in
nagios.  Issues with both config.cgi and statusmap.cgi allowed remote attackers
to inject arbitrary web script or HTML. These issues have been identified at
mitre.org by CVE-2011-1523 and CVE-2011-2179. This security update corrects
these issues

https://bugs.mageia.org/show_bug.cgi?id=1948

CC: (none) => davidwhodgins

Comment 14 claire robinson 2011-11-04 10:36:26 CET 
Sysadmin please push, see comment 13 for details. Thankyou.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Hardware: i586 => All

Comment 15 Thomas Backlund 2011-11-04 22:06:43 CET 
Update pushed.

Status: ASSIGNED => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED