{"id":16577,"date":"2021-07-08T10:07:20","date_gmt":"2021-07-08T08:07:20","guid":{"rendered":"https:\/\/herolab-usd.formwandler.rocks\/security-advisories\/usd-2018-0028\/"},"modified":"2021-07-19T14:09:25","modified_gmt":"2021-07-19T12:09:25","slug":"usd-2018-0028","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2018-0028\/","title":{"rendered":"usd-2018-0028"},"content":{"rendered":"

[et_pb_section fb_built=\"1\" _builder_version=\"4.9.4\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\"][et_pb_row _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_column type=\"4_4\" _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" hover_enabled=\"0\" sticky_enabled=\"0\"]<\/p>\n

usd-2018-0028 | Icinga Web 2\/2.6.1<\/span><\/h1>\n

<\/span>
Advisory ID<\/strong>: usd-2018-0028<\/span>
CVE number<\/strong>: CVE-2018-18248<\/span>
Affected Product<\/strong>: Icinga Web 2<\/span>
Affected Version<\/strong>: 2.6.1<\/span>
Vulnerability Type<\/strong>: Reflected XSS<\/span>
Security Risk<\/strong>: medium<\/span>
Vendor URL<\/strong>: <\/span>https:\/\/www.icinga.com\/<\/a>
Vendor Status<\/strong>: Won\u2019t fix<\/span><\/p>\n

<\/h3>\n

Description<\/h3>\n

Reflected XSS attack (or non-persistent attack) occur when a malicious script is reflected off of a web application to the victim\u2019s browser. The attack is typically delivered via email or a web site and activated through a link, which sends a request to a website with a vulnerability that enables execution of malicious scripts.<\/span><\/p>\n

<\/span><\/p>\n

Proof of Concept (PoC)<\/h3>\n

Icinga Web 2 does not properly validate and encode parameters received through HTTP GET requests. When the following URLs are requested by an authenticated user the HTTP response will contain malicious JavaScript:<\/p>\n

\/icingaweb2\/monitoring\/list\/services?service_state=0&limit=10&sort=service_last_state_change&dir=\u201c>alert(1)&view=compact<\/p>\n

\/icingaweb2\/user\/list?(user=\u201conmouseover=\u201calert(1)\u201c<\/p>\n

\/icingaweb2\/monitoring\/timeline?start=1536242399&end=1536156000&extend=1&\u201c>alert(1)=1<\/p>\n

The following URL requires the setup module to be enabled but does not require the victim to be authenticated:<\/p>\n

\/icingaweb2\/setup?\u201c>alert(1)=1<\/p>\n

Note:
Since the payloads is introduced through the URL, some modern browsers will encode the special characters (\u00b4'\u201c etc.) or detect the XSS attempt and block the request. This should mitigate the effects of this vulnerability in most real-world cases.<\/p>\n

 <\/p>\n

\n
\n

Fix<\/h3>\n

Make sure to validate the user supplied input and encode the output.<\/span>
https:\/\/www.owasp.org\/index.php\/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet<\/span><\/p>\n

<\/h3>\n

Timeline<\/h3>\n
    \n
  • 2018-09-12 First contact request via security@icinga.com<\/li>\n
  • 2018-10-02 Vendor received advisories via security@icinga.com<\/li>\n
  • 2018-10-11 CVE-ID requested<\/li>\n
  • 2018-10-12 received CVE ID and notified vendor about it<\/li>\n
  • 2018-11-08 vendor states that they won\u2019t fix the vulnerability as in their opinion it is already handled reasonable by browsers<\/li>\n
  • 2018-11-09 extended public disclosure deadline to 2018-11-25<\/li>\n
  • 2018-12-07 Security advisory released<\/li>\n<\/ul>\n

    <\/h3>\n

    Credits<\/h3>\n

    These security vulnerabilities were found by Maximilian Boehner of usd AG.<\/span><\/p>\n<\/div>\n<\/div>\n

    [\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\"]<\/p>\n

    The X-OWA-UrlPostData<\/em> header could be decoded to the following:<\/p>\n

    [\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"

    usd-2018-0028 | Icinga Web 2\/2.6.1 Advisory ID: usd-2018-0028CVE number: CVE-2018-18248Affected Product: Icinga Web 2Affected Version: 2.6.1Vulnerability Type: Reflected XSSSecurity Risk: mediumVendor URL: https:\/\/www.icinga.com\/Vendor Status: Won\u2019t fix Description Reflected XSS attack (or non-persistent attack) occur when a malicious script is reflected off of a web application to the victim\u2019s browser. The attack is typically delivered via […]<\/p>\n","protected":false},"author":96,"featured_media":0,"parent":16124,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"class_list":["post-16577","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16577","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/users\/96"}],"replies":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/comments?post=16577"}],"version-history":[{"count":0,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16577\/revisions"}],"up":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16124"}],"wp:attachment":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/media?parent=16577"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}