Summary
This host is running Nagios XI and is prone to multiple vulnerabilities.
Impact
Successful exploitation will allow remote attackers to conduct spoofing, cross-site scripting and cross-site request forgery attacks.
Impact Level: Application
Solution
No solution or patch was made available for at least one year since disclosure of this vulnerability. Likely none will be provided anymore.
General solution options are to upgrade to a newer release, disable respective features, remove the product or replace the product by another one.
Insight
- Input passed via the 'xiwindow' GET parameter to admin/index.php is not properly verified before being used to be displayed as iframe.
- Input passed via multiple GET parameters to various scripts is not properly sanitized before being returned to the user.
- The application allows users to perform certain actions via HTTP requests without properly verifying the requests.
- Input passed via the 'address' POST parameter to includes/components/autodiscovery/index.php (when 'mode' is set to 'newjob', 'update' is set to '1', and 'job' is set to '-1') is not properly verified before being used. This can be exploited to inject and execute arbitrary shell commands.
Affected
Nagios XI versions 2012R1.5b and 2012R1.5
References
- http://packetstormsecurity.com/files/120038
- http://seclists.org/fulldisclosure/2013/Feb/10
- http://secunia.com/advisories/52011
- http://www.osvdb.org/89842
- http://www.osvdb.org/89843
- http://www.osvdb.org/89844
- http://www.osvdb.org/89846
- http://www.osvdb.org/89847
- http://www.osvdb.org/89893
- http://www.osvdb.org/89894
Updated on 2015-03-25
