Cross Frame Scripting XFS

Support forum for Nagios Core, Nagios Plugins, NCPA, NRPE, NSCA, NDOUtils and more. Engage with the community of users including those using the open source solutions.
Locked
sugardaddyz
Posts: 7
Joined: Wed Aug 28, 2019 11:22 am

Cross Frame Scripting XFS

Post by sugardaddyz »

Hi guys,

Recently our security team has detected the above vulnerability for Nagios Core monitoring webpage. Is there an existing solution we can apply to address that?

Thank you
scottwilkerson
DevOps Engineer
Posts: 19396
Joined: Tue Nov 15, 2011 3:11 pm
Location: Nagios Enterprises
Contact:

Re: Cross Frame Scripting XFS

Post by scottwilkerson »

Can you give an example? Also, what version of Nagios Core are you using?
Former Nagios employee
Creator:
ahumandesign.com
enneagrams.com
sugardaddyz
Posts: 7
Joined: Wed Aug 28, 2019 11:22 am

Re: Cross Frame Scripting XFS

Post by sugardaddyz »

Using Nagios Core 4.4.3

The team noted that it was possible to capture the login page of the application within a HTML frame of another page as well as all the keystrokes that are entered by the user. In addition, it was also possible to authenticate the web application within the HTML frame. The team also noted that there was no ‘X-Frame-Options’ header in the HTTP response.
scottwilkerson
DevOps Engineer
Posts: 19396
Joined: Tue Nov 15, 2011 3:11 pm
Location: Nagios Enterprises
Contact:

Re: Cross Frame Scripting XFS

Post by scottwilkerson »

sugardaddyz wrote:The team noted that it was possible to capture the login page of the application within a HTML frame
They must be mistaken, because there isn't a login page in the application, it just used Basic Authentication.
Former Nagios employee
Creator:
ahumandesign.com
enneagrams.com
sugardaddyz
Posts: 7
Joined: Wed Aug 28, 2019 11:22 am

Re: Cross Frame Scripting XFS

Post by sugardaddyz »

Hi Scott,

When accessing Nagios core webpage. A basic authentication box will pop up, then we will login to reach nagios core homepage.

We tried this using an iframe, we are able to capture the basic authentication box pop up too.

If we enabled xframe deny all on httpd, nagios core webpage willl not be able to show. Is there any way to allow nagios core ui to function as normal with xframe deny all enabled ?
scottwilkerson
DevOps Engineer
Posts: 19396
Joined: Tue Nov 15, 2011 3:11 pm
Location: Nagios Enterprises
Contact:

Re: Cross Frame Scripting XFS

Post by scottwilkerson »

sugardaddyz wrote:Is there any way to allow nagios core ui to function as normal with xframe deny all enabled ?
No because Nagios displays it's content within frames.

If you disabled it just for the index.php page it should work, but the rest of the pages need to be able to display in a frame
Former Nagios employee
Creator:
ahumandesign.com
enneagrams.com
Locked