Hi guys,
Recently our security team has detected the above vulnerability for Nagios Core monitoring webpage. Is there an existing solution we can apply to address that?
Thank you
Cross Frame Scripting XFS
-
- DevOps Engineer
- Posts: 19396
- Joined: Tue Nov 15, 2011 3:11 pm
- Location: Nagios Enterprises
- Contact:
Re: Cross Frame Scripting XFS
Can you give an example? Also, what version of Nagios Core are you using?
-
- Posts: 7
- Joined: Wed Aug 28, 2019 11:22 am
Re: Cross Frame Scripting XFS
Using Nagios Core 4.4.3
The team noted that it was possible to capture the login page of the application within a HTML frame of another page as well as all the keystrokes that are entered by the user. In addition, it was also possible to authenticate the web application within the HTML frame. The team also noted that there was no ‘X-Frame-Options’ header in the HTTP response.
The team noted that it was possible to capture the login page of the application within a HTML frame of another page as well as all the keystrokes that are entered by the user. In addition, it was also possible to authenticate the web application within the HTML frame. The team also noted that there was no ‘X-Frame-Options’ header in the HTTP response.
-
- DevOps Engineer
- Posts: 19396
- Joined: Tue Nov 15, 2011 3:11 pm
- Location: Nagios Enterprises
- Contact:
Re: Cross Frame Scripting XFS
They must be mistaken, because there isn't a login page in the application, it just used Basic Authentication.sugardaddyz wrote:The team noted that it was possible to capture the login page of the application within a HTML frame
-
- Posts: 7
- Joined: Wed Aug 28, 2019 11:22 am
Re: Cross Frame Scripting XFS
Hi Scott,
When accessing Nagios core webpage. A basic authentication box will pop up, then we will login to reach nagios core homepage.
We tried this using an iframe, we are able to capture the basic authentication box pop up too.
If we enabled xframe deny all on httpd, nagios core webpage willl not be able to show. Is there any way to allow nagios core ui to function as normal with xframe deny all enabled ?
When accessing Nagios core webpage. A basic authentication box will pop up, then we will login to reach nagios core homepage.
We tried this using an iframe, we are able to capture the basic authentication box pop up too.
If we enabled xframe deny all on httpd, nagios core webpage willl not be able to show. Is there any way to allow nagios core ui to function as normal with xframe deny all enabled ?
-
- DevOps Engineer
- Posts: 19396
- Joined: Tue Nov 15, 2011 3:11 pm
- Location: Nagios Enterprises
- Contact:
Re: Cross Frame Scripting XFS
No because Nagios displays it's content within frames.sugardaddyz wrote:Is there any way to allow nagios core ui to function as normal with xframe deny all enabled ?
If you disabled it just for the index.php page it should work, but the rest of the pages need to be able to display in a frame