[dev.icinga.com #10453] Icinga Classic-UI 1.13.3 and older are vulnerable to XSS - CVE-2015-8010

[icinga-migration]

This issue has been migrated from Redmine: https://dev.icinga.com/issues/10453

Created by ricardo on 2015-10-23 20:24:35 +00:00

Assignee: ricardo
Status: Resolved (closed on 2015-10-30 20:10:07 +00:00)
Target Version: 1.14
Last Update: 2015-10-30 22:14:06 +00:00 (in Redmine)

Icinga Version: 1.13.3
OS Version: Linux 4.2.3

---

Due to my bad programming skills I introduced a XSS vulnerability in Classic-UI with the CSV export link and pagination feature.

This got originally introduced with this issue https://dev.icinga.org/issues/593 and version 1.3.

Example: http://classic.demo.icinga.org/icinga/cgi-bin/status.cgi?host=all&'onmouseover='prompt(25435);'bad='

I already wrote a fix which just needs to commitet.
Hopefully this fix can make it into 1.14.0.

Thanks to T-Systems Germany for finding it.

Cheers
Ricardo

Attachments

• Icinga_1.11.6_fix_xxs_CVE-2015-8010.patch ricardo - 2015-10-30 20:54:35 +00:00

Changesets

2015-10-23 20:26:12 +00:00 by ricardo 5c816f5

Classic-UI: fixes a XXS vulnerability in pagination and export links #10453

Sorry guys. Due to my bad programming skills I introduced a
XSS vulnerability in Classic-UI with the CSV export link and
pagination feature. The functions parsed QUERY_STRING from
the environment without properly sanitizing it.

The getcgivars() function got a bit reworked. Once the
QUERY_STRING is read and parsed the content survives the
whole lifetime of the cgi execution and gets free’d at
the end. This way we can always build urls from valid parsed
cgi params.

I wonder why I haven't done this earlier.

Also the url param parsing in every cgi was updated and
hopefully everything works as bevor.

Refs: #10453

2015-10-30 20:05:17 +00:00 by ricardo 31dd493

Merge branch 'fix/xxs-vulnerability-in-classic-ui-10453'

fixes: #10453
fixes: CVE-2015-8010

[icinga-migration]

Updated by ricardo on 2015-10-23 20:58:15 +00:00

• Status changed from New to Assigned

Now fixed in "fix/xxs-vulnerability-in-classic-ui-10453"

[icinga-migration]

Updated by ricardo on 2015-10-23 21:02:57 +00:00

Just sent out request for CVE. Will update this issue once CVE is assigned.

Cheers
Ricardo

[icinga-migration]

Updated by ricardo on 2015-10-23 21:28:59 +00:00

• Project changed from Icinga 1.x to Core, Classic UI, IDOUtils
• Category set to Classic UI
• Status changed from Assigned to Feedback
• Done % changed from 50 to 90
• Icinga Version set to 1
• OS Version set to Linux 4.2.3

[icinga-migration]

Updated by mfriedrich on 2015-10-26 08:04:42 +00:00

Please just merge it to master, you're responsible for Classic UI. I won't look into 1.x in detail, just one thing is missing for 1.14 - the IDO schema updates coming from 2.x

[icinga-migration]

Updated by mfriedrich on 2015-10-26 08:18:45 +00:00

• Status changed from Feedback to Assigned

[icinga-migration]

Updated by mfriedrich on 2015-10-26 08:19:27 +00:00

Please edit the issue's subject with the CVE number once assigned. Then we may generate the changelog from redmine issues accordingly.

[icinga-migration]

Updated by ricardo on 2015-10-29 19:14:21 +00:00

Hi,

still waiting for a CVE number to be assigned.

Will update and merge as soon as I get one.

Cheers
Ricardo

[icinga-migration]

Updated by mfriedrich on 2015-10-29 21:31:06 +00:00

Seems it is there, go on please.
http://permalink.gmane.org/gmane.comp.security.oss.general/18053?utm\_source=twitterfeed&utm\_medium=twitter

[icinga-migration]

Updated by ricardo on 2015-10-30 20:09:53 +00:00

• Subject changed from Icinga Classic-UI 1.13.3 and older are vulnerable to XSS to Icinga Classic-UI 1.13.3 and older are vulnerable to XSS - CVE-2015-8010
• Done % changed from 90 to 100

We got a CVE to track this issue.

CVE-2015-8010

now in current master

[icinga-migration]

Updated by ricardo on 2015-10-30 20:10:07 +00:00

• Status changed from Assigned to Resolved

Applied in changeset 31dd493.

[icinga-migration]

Updated by mfriedrich on 2015-10-30 20:23:57 +00:00

Thanks. I'm planning to release 1.14 either before or after icinga2 v2.4 (ido schema compatibilty). I'll talk to the web devs if they are ready as well.

[icinga-migration]

Updated by ricardo on 2015-10-30 20:55:13 +00:00

• File added Icinga_1.11.6_fix_xxs_CVE-2015-8010.patch

And here a patch against 1.11.6 for the debian folks.

this should apply cleanly.

[icinga-migration]

Updated by mfriedrich on 2015-10-30 22:14:06 +00:00

https://security-tracker.debian.org/tracker/CVE-2015-8010