Bug 1948 - Cross-site scripting (XSS) vulnerabilities in nagios
Summary: Cross-site scripting (XSS) vulnerabilities in nagios
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 1
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL:
Whiteboard:
Keywords: PATCH, Security, validated_update
Depends on:
Blocks:
 
Reported: 2011-06-28 13:41 CEST by Stew Benedict
Modified: 2011-11-04 22:06 CET (History)
7 users (show)

See Also:
Source RPM: nagios-3.2.3-2.mga1.src.rpm
CVE:
Status comment:


Attachments
upstream patch (2.53 KB, patch)
2011-08-30 10:42 CEST, Guillaume Rousse
Details | Diff
example CVE-2011-2179 exploit URL's from securityfocus (217 bytes, text/plain)
2011-11-02 11:41 CET, claire robinson
Details

Description Stew Benedict 2011-06-28 13:41:25 CEST
Description of problem:

Several XSS vulnerabilities with nagios

Version-Release number of selected component (if applicable):
nagios-3.2.3-2.mga1.src.rpm

How reproducible:

N/A

Refs (should be able to get patches from one of the links off these pages):

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1523
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2179

Possible update text:

Several cross-site scripting (XSS) vulnerabilities have been identified in nagios.  Issues with both config.cgi and statusmap.cgi allowed remote attackers to inject arbitrary web script or HTML. These issues have been identified at mitre.org by CVE-2011-1523 and CVE-2011-2179. Updated packages correct these issues.
Comment 1 Stew Benedict 2011-08-28 21:46:39 CEST
no interest in this, closing

Status: NEW => RESOLVED
Resolution: (none) => OLD

Comment 2 Remco Rijnders 2011-08-29 07:48:55 CEST
I understand your frustration in the lack of follow up given to reported security problems, but I think closing security bugs which have not been solved is not the right way to go. Let's try to keep those issues on the radar at least.

Keywords: (none) => Security
Status: RESOLVED => REOPENED
CC: (none) => remco
Resolution: OLD => (none)

Comment 3 Stew Benedict 2011-08-29 18:45:26 CEST
Whose radar are they supposedly on? They've sat a NEW for 2 months. Our release cycle in only 9. If the users and packagers are only interested in new stuff, then lets not pretend we have a support policy and just be a rolling release.
Comment 4 Remco Rijnders 2011-08-29 18:59:51 CEST
Your radar, our radar. Perhaps it is not given enough priority currently, but that is more a matter of lack of manpower than anything else. Closing unfixed (security) bugs will not make things any better for us or our users though.

Through better triaging (again, as time permits) we can hopefully better identify the security related issues and perhaps even post periodic updates on the subject on the devs list.

We know it's not perfect, far from it even, but let's take steps towards improving the situation, even if they are baby steps.

CC: (none) => guillomovitch

Comment 5 Guillaume Rousse 2011-08-30 10:42:43 CEST
Created attachment 744 [details]
upstream patch

I had to do the work myself for mandriva 2010.0. Here is the upstream patch fixing the issue.
Manuel Hiebel 2011-08-30 10:53:09 CEST

Keywords: (none) => PATCH

Comment 6 D Morgan 2011-09-06 00:56:00 CEST
Guillaume will you add the patch or do you want me to do it ?

CC: (none) => dmorganec

Comment 7 Samuel Verschelde 2011-09-13 12:15:24 CEST
Assigning to Dmorgan as Guillaume replied to his comment 6 on irc :)

Status: REOPENED => ASSIGNED
CC: (none) => stormi
Assignee: bugsquad => dmorganec

Comment 8 Manuel Hiebel 2011-11-01 00:12:17 CET
Ping ?
Comment 9 Guillaume Rousse 2011-11-01 18:12:47 CET
Patched release 3.2.3-2.1 available in updates_testing, untested.
Comment 10 Manuel Hiebel 2011-11-01 18:26:42 CET
Ok thanks.

As we don't really have a 'security team' I assign this bug to the QA.

Assignee: dmorganec => qa-bugs

Comment 11 claire robinson 2011-11-02 11:41:35 CET
Created attachment 1040 [details]
example CVE-2011-2179 exploit URL's from securityfocus
Comment 12 claire robinson 2011-11-03 11:19:53 CET
To check this you need to install nagios and nagios-www too to get the web interface.

Disable authentication in /etc/nagios/cgi.cfg or configure it if you dont want to disable it.

Then 'service nagios start'


You can see the web interface at localhost/nagios and using either of the URL's in the attachment will show the problem. The first brings up a box with XSS in it and the second does the same with 666 in it.

Confirmed the problem x86_64 and confirmed fix after update.

Instead of opening the box it shows an error in red

eg. Error:No command "<script>alert(String.fromCharCode(88,83,83))</script>" found


Testing complete x86_64

SRPM: nagios-3.2.3-2.1.mga1.src.rpm
Comment 13 Dave Hodgins 2011-11-04 02:15:18 CET
Testing complete on i586.  Thanks Claire for the procedure.

Could someone from the sysadmin team push the srpm
nagios-3.2.3-2.1.mga1.src.rpm
from Core Updates Testing to Core Updates

Advisory:
Several cross-site scripting (XSS) vulnerabilities have been identified in
nagios.  Issues with both config.cgi and statusmap.cgi allowed remote attackers
to inject arbitrary web script or HTML. These issues have been identified at
mitre.org by CVE-2011-1523 and CVE-2011-2179. This security update corrects
these issues

https://bugs.mageia.org/show_bug.cgi?id=1948

CC: (none) => davidwhodgins

Comment 14 claire robinson 2011-11-04 10:36:26 CET
Sysadmin please push, see comment 13 for details. Thankyou.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Hardware: i586 => All

Comment 15 Thomas Backlund 2011-11-04 22:06:43 CET
Update pushed.

Status: ASSIGNED => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.