Vigil@nce - Nagios: Cross Site Scripting of config.cgi
June 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
An attacker can use the config.cgi program of Nagios, in order to
generate a Cross Site Scripting.
Severity: 2/4
Creation date: 06/06/2011
IMPACTED PRODUCTS
– Nagios
DESCRIPTION OF THE VULNERABILITY
The config.cgi program displays the configuration of Nagios.
The display_command_expansion() function of the cgi/config.c file
displays expanded commands. Its "expand" parameter indicates the
name of the command to display. However, this name is not filtered
before being inserted in the HTML page containing the result of
the expansion.
An attacker can therefore use the config.cgi program of Nagios, in
order to generate a Cross Site Scripting.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Nagios-Cross-Site-Scripting-of-config-cgi-10702