usd-2018-0028 | Icinga Web 2/2.6.1

Advisory ID: usd-2018-0028
CVE number: CVE-2018-18248
Affected Product: Icinga Web 2
Affected Version: 2.6.1
Vulnerability Type: Reflected XSS
Security Risk: medium
Vendor URL: https://www.icinga.com/
Vendor Status: Won’t fix

Description

Reflected XSS attack (or non-persistent attack) occur when a malicious script is reflected off of a web application to the victim’s browser. The attack is typically delivered via email or a web site and activated through a link, which sends a request to a website with a vulnerability that enables execution of malicious scripts.

Proof of Concept (PoC)

Icinga Web 2 does not properly validate and encode parameters received through HTTP GET requests. When the following URLs are requested by an authenticated user the HTTP response will contain malicious JavaScript:

/icingaweb2/monitoring/list/services?service_state=0&limit=10&sort=service_last_state_change&dir=“>alert(1)&view=compact

/icingaweb2/user/list?(user=“onmouseover=“alert(1)“

/icingaweb2/monitoring/timeline?start=1536242399&end=1536156000&extend=1&“>alert(1)=1

The following URL requires the setup module to be enabled but does not require the victim to be authenticated:

/icingaweb2/setup?“>alert(1)=1

Note:
Since the payloads is introduced through the URL, some modern browsers will encode the special characters (´'“ etc.) or detect the XSS attempt and block the request. This should mitigate the effects of this vulnerability in most real-world cases.

The X-OWA-UrlPostData header could be decoded to the following: