[dev.icinga.com #1605] Cross-Site Scripting vulnerability in Icinga

[icinga-migration]

This issue has been migrated from Redmine: https://dev.icinga.com/issues/1605

Created by sschurtz on 2011-06-01 14:46:03 +00:00

Assignee: mfriedrich
Status: Resolved (closed on 2011-06-26 15:35:37 +00:00)
Target Version: 1.4.2
Last Update: 2014-12-08 09:42:15 +00:00 (in Redmine)

Icinga Version: 1.10.0
OS Version: any

---

Advisory:           Cross-Site Scripting vulnerability in Icinga
Advisory ID:        SSCHADV2011-005
Author:             Stefan Schurtz
Affected Software:  Successfully tested on: icinga-1.3.0 / icinga-1.4.0
Vendor URL:         http://www.icinga.org
Vendor Status:      informed
CVE-ID:             -

==========================
Vulnerability Description:
==========================

This is a Cross-Site Scripting vulnerability

==================
Technical Details:
==================

No input validation for "expand" in config.c(gi)

View Config -> Command Expansion -> To expand -> alert(String.fromCharCode(88,83,83))
View Config -> Command Expansion -> To expand -> 

or 

http://www.example.com/icinga/cgi-bin/config.cgi?type=command&expand=alert(String.fromCharCode(88,83,83))
http://www.example.com/icinga/cgi-bin/config.cgi?type=command&expand=

=========
Solution:
=========

in config.c

< printf("To expand:%s",command_args[0]);

> printf("To expand:%s",escape_string(command_args[0]));

====================
Disclosure Timeline:
====================

01-Jun-2011 - informed developers
01-Jun-2011 - Release date of this security advisory

========
Credits:
========

Vulnerability found and advisory written by Stefan Schurtz.

===========
References:
===========

http://www.icinga.org        
http://www.rul3z.de/advisories/SSCHADV2011-005.txt

Changesets

2011-06-01 15:46:42 +00:00 by mfriedrich cbe9993

classic ui: fix cross site scripting vulnerability in config.cgi on config expander arguments #1605

thanks Stefan, the proposed fix attempts to fix it globally
on the config.cgi command expander

fixes #1605

2011-06-01 15:48:15 +00:00 by mfriedrich cd50422

classic ui: fix cross site scripting vulnerability in config.cgi on config expander arguments #1605

thanks Stefan, the proposed fix attempts to fix it globally
on the config.cgi command expander

fixes #1605

2011-06-08 21:25:49 +00:00 by mfriedrich 757be9b

re-fix xss vulnerability and string escaping for command expansion #1605 #1624

refs #1605
refs #1624

2011-06-09 11:59:14 +00:00 by mfriedrich bd1ae15

re-fix xss vulnerability and string escaping for command expansion #1605 #1624

refs #1605
refs #1624

---

Relations:

• duplicates #1605

[icinga-migration]

Updated by mfriedrich on 2011-06-01 15:15:56 +00:00

• Project changed from 20 to 19

[icinga-migration]

Updated by mfriedrich on 2011-06-01 15:16:49 +00:00

• Status changed from New to Assigned
• Assigned to set to mfriedrich
• Priority changed from Normal to High
• Target Version set to 1.4.1

yep, verified and tested in existing 1.4.0 setups.

[icinga-migration]

Updated by mfriedrich on 2011-06-01 15:41:47 +00:00

thanks for the proposed patch, but this does only small fixing in the expanding itsself.

the overall expand GET variable can be used all over config.cgi - e.g. hosts and using the 'show only' search form will cause the url to look like this

config.cgi?type=hosts&expand=<body+onload%3Dalert(666)>

generating another xss vulnerability on the hosts page.

the proposed fix attempts to already escape the string when reading the GET variables, and this is verified working all over the place.

i will push it to git upstream and r1.4 for an 1.4.1 release soon to be out there.

[icinga-migration]

Updated by mfriedrich on 2011-06-01 15:49:57 +00:00

• Done % changed from 0 to 80

resolved in 32 minutes ;-D

[icinga-migration]

Updated by mfriedrich on 2011-06-01 16:54:16 +00:00

• Status changed from Assigned to Resolved
• Done % changed from 80 to 100

Applied in changeset cd50422.

[icinga-migration]

Updated by mfriedrich on 2011-06-08 21:22:01 +00:00

• Status changed from Resolved to Feedback
• Done % changed from 100 to 90

ok, i've now figured what i might have missed on the overall hard quickfix.

your proposed patch is fine, unless someone sets escape_html_tags=0 in cgi.cfg (happens when using check_multi e.g.).

there are to other places where just an html_encode happens instead of escape_string (the 2. line and the input form).

check-host-alive!

command_args[i] isn't escaped too. so the variety with 2 introduced search forms plus multiple arguments being interpreted needs overall escaping.

the clean way is to revoke all html_encode onto the expander/command_args, and only let escape_string happen when it's printf'd.

tested with escape_html_tags 0 and 1.

[icinga-migration]

Updated by mfriedrich on 2011-06-15 16:48:58 +00:00

• Target Version changed from 1.4.1 to 1.4.2

[icinga-migration]

Updated by mfriedrich on 2011-06-26 15:35:37 +00:00

• Status changed from Feedback to Resolved
• Done % changed from 90 to 100

[icinga-migration]

Updated by mfriedrich on 2014-12-08 09:42:15 +00:00

• Project changed from 19 to Core, Classic UI, IDOUtils
• Category set to Classic UI
• Icinga Version set to 1
• OS Version set to any