usd-2018-0028 | Icinga Web 2/2.6.1


Advisory ID: usd-2018-0028
CVE number: CVE-2018-18248
Affected Product: Icinga Web 2
Affected Version: 2.6.1
Vulnerability Type: Reflected XSS
Security Risk: medium
Vendor URL: https://www.icinga.com/
Vendor Status: Won’t fix

Description

Reflected XSS attack (or non-persistent attack) occur when a malicious script is reflected off of a web application to the victim’s browser. The attack is typically delivered via email or a web site and activated through a link, which sends a request to a website with a vulnerability that enables execution of malicious scripts.

Proof of Concept (PoC)

Icinga Web 2 does not properly validate and encode parameters received through HTTP GET requests. When the following URLs are requested by an authenticated user the HTTP response will contain malicious JavaScript:

/icingaweb2/monitoring/list/services?service_state=0&limit=10&sort=service_last_state_change&dir=“>alert(1)&view=compact

/icingaweb2/user/list?(user=“onmouseover=“alert(1)“

/icingaweb2/monitoring/timeline?start=1536242399&end=1536156000&extend=1&“>alert(1)=1

The following URL requires the setup module to be enabled but does not require the victim to be authenticated:

/icingaweb2/setup?“>alert(1)=1

Note:
Since the payloads is introduced through the URL, some modern browsers will encode the special characters (´’“ etc.) or detect the XSS attempt and block the request. This should mitigate the effects of this vulnerability in most real-world cases.

 

Fix

Make sure to validate the user supplied input and encode the output.
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

Timeline

  • 2018-09-12 First contact request via security@icinga.com
  • 2018-10-02 Vendor received advisories via security@icinga.com
  • 2018-10-11 CVE-ID requested
  • 2018-10-12 received CVE ID and notified vendor about it
  • 2018-11-08 vendor states that they won’t fix the vulnerability as in their opinion it is already handled reasonable by browsers
  • 2018-11-09 extended public disclosure deadline to 2018-11-25
  • 2018-12-07 Security advisory released

Credits

These security vulnerabilities were found by Maximilian Boehner of usd AG.

The X-OWA-UrlPostData header could be decoded to the following: