Nagios Support Forum

Hello,

We recently purchased Nagios XI and installed it via the nagios xi repository (http://repo.nagios.com) on a RHEL 6 server. We are running the most up-to-date version Nagios XI 2014R2.7. Our security team ran a Rapid7 netexpose scan against our new nagios xi server and have found several vulnerabilities. I was able to fix most of the issues, except for a the Cross Site Scripting Vulnerability. The scan says it has proof of the Cross Site Scripting Vulnerability of the following:

Running HTTPS service

HTTP request to https://<server URL>/nagiosxi/login.php/<script>xss</script>

22: var ajax_helper_url = "https://<server URL>/nagi...
23: var ajax_proxy_url = "https://<server URL>/nagio...
24: var suggest_url = "https://<server URL>/nagiosxi...
25: var request_uri = "%2Fnagiosxi%2Flogin.php%2F%3Cscript%3Exs...
26: ...sxi/login.php/<script>xss</script>?";

Is there somewhere I should be looking to see if there is a fix to this issue or that it is a known bug?
How do I get access to the customer support forums?

I will be looking into this now. Can you provide (either directly or via PM) the full report? Or at least the PoC that the report or your security team gave.

Regarding the customer forums, please contact [email protected] with your username and request that you be granted access.

Update: I'm not able to reproduce this just by hitting http://192.168.1.100/nagiosxi/login.php ... ss</script>?"; or http://192.168.1.100/nagiosxi/login.php ... ss</script> which appears to be the URL the scan brought up. Everything is properly escaped on my end. Will keep updating.

Update 2: Still no luck, though I haven't yet gone full-on testing. Awaiting your report or PoC.

I've sent you a copy of the Audit report in a PM. Please let me know if you need more information. Thank you

All of the URLs in the report are truncated, but those that I was able to reconstruct/guess were not vulnerable. My guess is the scan was either overzealous (as they tend to be) or incorrect in its vulnerability verification. If your security team can give us a working PoC I can hand it off to the devs, but I was not able to reproduce anything.

Scans like this need to be taken with a grain of salt, because they tend to over-report. It's like a smoke detector - they would rather be too sensitive and misreport every once in a while than be too loose and let a fire go undetected.

Thank you for you help thus far, I now have access to the nagios customer forums.

I ran the security scan again and got 2 results for potential Cross Site Scripting Vulnerability(the full text is below). I believe I now see 2 potential issues due to the fact that I enabled the automatic login feature to provide a readonly view of the system being monitored. I believe that the issue with cross site scripts isn't necessarily a direct security vulnerability with Nagios XI, but rather the potential exists to craft malicious URL's that could be sent to unsuspecting users(https://en.wikipedia.org/wiki/Cross-sit ... t_examples). If your stance is that these issues are false positives, I will be document that assessment for our future security audits.

Cross Site Scripting Vulnerability (http-cgi-0010)
------------------------------------------------------------------
Issue 1 Proof:
Injected into the "redirect" URL parameter (Using method GET) in
https://<SERVER URL>/nagiosxi/login.php?redirect=/nagiosxi/index.php%
3f&noauth=1 by changing the URL to https://<SERVER URL>/nagiosxi/login.php?redirect=\"><script>36462736 7&noauth=1
1: ...c7ca&redirect=\"><script>364627367&noauth=1<BR>

Issue 2 Proof:
Running HTTPS serviceHTTP request to
https://<SERVER URL>/nagiosxi/login.php/<script>xss</script>
22: var ajax_helper_url = "https://<SERVER URL>/nagiosxi/ajaxhelper.php";
23: var ajax_proxy_url = "https://<SERVER URL>/nagiosxi/ajaxproxy.php";
24: var suggest_url = "https://<SERVER URL>/nagiosxi/suggest.php";
25: var request_uri = "%2Fnagiosxi%2Flogin.php%2F%253Cscript%253Exss%253C%2Fscript%253E";
26: var permalink_base = "https://<SERVER URL>/nagiosxi/login.php/%3Cscript%3Exss%3C/script%3E?";

I am still unable to reproduce this. The first URL just brings up a 404 page, and the second enters an infinite redirect loop. I'm not saying this is definitively secure, only that I was not able to reproduce what the scanner is reporting. I would have your security team take a crack at it to get a second opinion, but I'm fairly confident this is a false positive.