Info

Disclosure

Mar 07, 2011

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Mar 07, 2011

Description

Icinga contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate input passed via the URL upon submission to the cgi-bin/status.cgi script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Solution: Patch / RCS
Exploit: Exploit Public
Disclosure: Vendor Verified, Coordinated Disclosure
OSVDB: Web Related

Solution

Currently, there are no known workarounds or upgrades to correct this issue. However, Icinga has committed a fix to the CVS repository.

Products

The Icinga Project

Icinga

1.3.0

References

Secunia Advisory ID: 43643
Related OSVDB ID: 71051 71052
Mail List Post: http://seclists.org/bugtraq/2011/Mar/88
Other Advisory URL: http://www.darksecurity.de/index.php?/130-SSCHADV2011-001-Cross-Site-Scripting-vulnerabilities-in-Icinga.html
http://www.rul3z.de/advisories/SSCHADV2011-001.txt
Vendor Specific Advisory URL: https://dev.icinga.org/issues/1275

Credit

Unknown or Incomplete

Direct URL: http://osvdb.org/71050