Nagios Support Forum

The Security Team performed the first of many security scans on the NagiosXI server. Our team need to get a successful scan before the product can go into production. I am looking for documentation and/or assistance with getting the vulnerabilities addressed.

The Security Team used Netsparker to perform the test using a read-only Nagios user. I have handled some of the concerns, but others I could not find enough documentations to get corrected, which is why I am posting here.

I have the scan and information used by Netsparker to recreate the issues.

List of Vulnerabilities:
Command Injection
SQL Injection
Cross-site Scripting
Permanent Cross-site Scripting
Local File Inclusion
Open Redirection
Frame Injection
Out of date jQuery
Debugging mode enabled
Insecure Frame (External)

I have found and applied the below URL:
https://assets.nagios.com/downloads/nag ... s%20XI.pdf

chicjo01 wrote:The Security Team used Netsparker to perform the test using a read-only Nagios user.

That's the problem right there. Automated security scans already have a high rate of false positives, and that's assuming they can make changes and submit commands. Using an account that is not allowed to make changes severely skews the results of the scan even further. In addition, the list of vulnerabilities provided do not mention any specifics, so it's hard to say what caused the red flags.

I can ask them to rescan using an admin account, if it will produce a better result. Below are some of the examples from different the sections.

SQL Injection
Netsparker identified a probable SQL injection, which occurs when data input by a user is interpreted as an SQL command rather than as normal data by the backend database.
/nagiosxi/reports/notifications.php

Request
GET /nagiosxi/reports/notifications.php?
search=%27%2b%20(select%20convert(int%2c%20cast(0x5f21403264696c656d6d61%20as%20varchar(8000)))%20from%20syscolumns)%20%2b%27&reportperiod=last24hours&startdate=&enddate=&host=&service=&hostgroup=
&servicegroup=&mode=getreport HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept: */*
Referer: http://<Your Nagios Server>/nagiosxi/reports/notifications.php
X-Requested-With: XMLHttpRequest
Accept-Language: en-us,en;q=0.5
X-Scanner: Netsparker
Cookie: nagiosxi=ibfcljvt3jsjv7tncl5hvbc0q1
Host: <Your Nagios Server>
Accept-Encoding: gzip, deflate

Response
…
Content-Type: text/html; charset=UTF-8
Date: Sun, 31 Jan 2016 02:19:57 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
SQL: SQL Error [ndoutils] :</b> You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '+ (select convert(int,
cast(0x5f21403264696c656d6d61 as varchar(8000))) from sys' at line 20 <
…

-------------------------------------------------------------------------------

Cross-site Scripting

/nagiosxi/includes/components/hypermap_replay/index.php

Request
GET /nagiosxi/includes/components/hypermap_replay/index.php?startdate=&enddate=%27%22%20ns%3d%20netsparker(0x00C71C)%20&reporttimesubmitbutton=&reportperiod=today HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Referer: http://<Nagios Server Here>/nagiosxi/includes/components/hypermap_replay/index.php
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept-Language: en-us,en;q=0.5
X-Scanner: Netsparker
Cookie: nagiosxi=ibfcljvt3jsjv7tncl5hvbc0q1
Host: <Nagios Server Here>
Accept-Encoding: gzip, deflate

Response
…
eportstartdatepicker"><i class="fa fa-calendar fa-cal-btn"></i></div>
<input class="textfield form-control" type="text" id='enddateBox' name="enddate" value="'" ns= netsparker(0x00C71C) " size="16"/><div id="enddatepickercontainer"></div>
<div class="reportenddatepicker"><i class="fa fa-calendar fa-cal-btn"></i></div>
</div>
…

------------------------------------------------------------------

Local File Inclusion:
Netsparker identified a probable local file inclusion vulnerability, which occurs when a file from the target system is injected into the attacked server page.
NOTE: With an active Session it will display the passwd file on the server, without it will ask for a login and then show you the passwd file.

Request
https://<Your Nagios Server>/nagiosxi/ajaxproxy.php?proxyurl=file:///etc/passwd

SQLi and XSS are possible but the referenced URLs do not actually exploit anything so it's hard to tell if these are false positives. I will speak with the devs about fixing up the SQL at least, and the XSS seems to be fairly well-escaped, but I am not a professional pen-tester so someone who is more skilled may be able to get around that. If your team can provide some POC or otherwise confirm these findings it'd definitely help fast-track things on our end.

LFE is definitely an issue and I have brought this up to our development team.

Do you have any official docs besides the one I provided, to help secure the a Nagios server?

New version will be coming out shortly with the Local File Inclusion fixed.

For the time being I am attaching a file that can be unzipped and placed in the following location to remove this vulnerability

chicjo01 wrote:Do you have any official docs besides the one I provided, to help secure the a Nagios server?

Any docs we have would not address potential unknown bugs in the software, unfortunately. SSL is a good first step, but aside from that it boils down to basic system-level integrity. Don't create accounts you do not need, do not install software you do not need, etc etc.

scottwilkerson wrote:New version will be coming out shortly with the Local File Inclusion fixed.

For the time being I am attaching a file that can be unzipped and placed in the following location to remove this vulnerability

Thank you. Will apply the fix. Will look forward to the next update with more bug fixes.

Since we're continuing via PM I'll be closing this ticket for the time-being.