Cross-Frame Scripting

This support forum board is for support questions relating to Nagios XI, our flagship commercial network monitoring solution.
Locked
ravish78
Posts: 269
Joined: Wed Mar 14, 2012 9:50 am

Cross-Frame Scripting

Post by ravish78 »

We had an audit in our company and they came up with following risk in nagios xi currently used in our environment.
Is there anything form your side to be done to remidiate this risk.

Cross-Frame Scripting
A Cross-Frame Scripting (XFS) vulnerability can allow an attacker to load the vulnerable application inside an HTML iframe tag on a malicious page. The attacker could use this weakness to devise a Clickjacking attack to conduct phishing, frame sniffing, social engineering or Cross-Site Request Forgery attacks.Clickjacking The goal of a Clickjacking attack is to deceive the victim user into interacting with UI elements of the attackers choice on the target web site without her knowledge and in turn executing privileged functionality on the victims behalf. To achieve this goal, the attacker must exploit the XFS vulnerability to load the attack target inside an iframe tag, hide it using Cascading Style Sheets (CSS) and overlay the phishing content on the malicious page. By placing the UI elements on the phishing page to overlap with those on the page targeted in the attack, the attacker can ensure that the victim is forced to interact with the UI elements on the target page not visible to the victim.
Top
sreinhardt
-fno-stack-protector
Posts: 4366
Joined: Mon Nov 19, 2012 12:10 pm

Re: Cross-Frame Scripting

Post by sreinhardt »

Is this with the login page in particular, XI as a whole, or some other portion? As for resolving an issue such as this, we would likely need to implement X-FRAME-OPTIONS to restrict loading to within SAMEORIGIN. Is it possible, absolutely! Do we take issues like this seriously, definitely! Is it something that has been disclosed to use short of this, unfortunately not. If there are further details that your auditors or yourself could provide that would be fantastic. Otherwise I will speak with our developers about including this functionality. I could see some issues with fusion, but we can and would definitely test prior to releasing an update.

Thanks for the info!!
Nagios-Plugins maintainer exclusively, unless you have other C language bugs with open-source nagios projects, then I am happy to help! Please pm or use other communication to alert me to issues as I no longer track the forum.
Top
essrichard
Posts: 24
Joined: Wed Apr 29, 2015 12:10 pm

Re: Cross-Frame Scripting

Post by essrichard »

We have found similar issues on our Nagios XI as well. I would be glad to provide the detailed report of our scan, but i am not allowed to upload excel documents. How can i get this to you for review?
I posted some basics on other vulnerabilities as well here: https://support.nagios.com/forum/viewto ... 16&t=35873
Top
tmcdonald
Posts: 9117
Joined: Mon Sep 23, 2013 8:40 am

Re: Cross-Frame Scripting

Post by tmcdonald »

I have replied to the other thread, and will be closing this one so as not to have two open about the same thing.
Former Nagios employee
Top
Locked

Return to “Nagios XI”