Nagios Support Forum

Our security team has identified a few vulnerabilities that we need some help on.

The two critical issues are Cross-Site Scripting Reflected issued with Nagvis with an invalid session. "It only happens when you have an invalid session - that is, one with an invalid character, too short, too long, etc. Not an expired one.".

GET /nagvis/frontend/nagvis-js/index.php?mod=Map&amp;act=view&amp;show=demo-overview<sCrIpT>alert(85263)</sCrIpT>&lang=en_US HTTP/1.1
Accept: */*

And an issue with the persistent cookie. Is it possible to set the cookie to a session cookie?

Set-Cookie: nagiosxi=m740i6c19mduif1qid373sne85; expires=Mon, 07-Jan-2019 18:25:19 GMT; path=/; secure; httponly;HttpOnly;Secure


HTTP Verb Tampering - they don't like the server responding the the HEAD request. Can the Apache web server be modified to restrict the HTTP Verbs to GET, POST, PUT and DELETE.

Restricting the HEAD method shouldn't be a problem, although I'd have to do a bit of digging to find out how to do this in Apache with the configs nagios installs.

Changing the cookie could potentially break things. I'll bring this up with our dev team though to see if this could be done.

Can you PM me some more details regarding the CSS vulnerability including steps to reproduce?

Unfortunately my profile status doesn't allow me to private message: "We are sorry, but you are not authorised to use this feature. You may have just registered here and may need to participate more to be able to use this feature.".

I think it's been fixed now if you'd like try PMing again.

Also, since Nagvis is a third party project, I would recommend posting any Nagvis specific vulnerabilities to https://github.com/NagVis/nagvis