Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2021-43584 - DOM-based XSS via 'name' element of 'Tail Event Logs' functionality #830

Closed
iamaldi opened this issue Nov 29, 2021 · 4 comments
Closed

CVE-2021-43584 - DOM-based XSS via 'name' element of 'Tail Event Logs' functionality #830

iamaldi opened this issue Nov 29, 2021 · 4 comments
Assignees
@jomann09
Labels
Bug
Milestone
2.4.0

Comments

@iamaldi
Copy link

iamaldi commented Nov 29, 2021
edited

Vulnerability Description

CENSUS identified that the 'Tail Event Logs' functionality of the Nagios Cross-Platform Agent (NCPA) is susceptible to a self-inflicted DOM-based Cross-Site Scripting (XSS) vulnerability via the name element.

DOM-based Cross-Site Scripting is a vulnerability where the attack payload is executed as a result of modifying the HTML DOM (Document Object Model). Web applications can be vulnerable to DOM-based XSS when untrusted data are introduced to HTML fields or to the HTML representation of the DOM.

Aministrative NCPA users can utilize the 'Tail Event Logs' functionality ('/gui/tail') via the 'Live Data' dashboard to print the last lines of the Event Logs file. When the 'Tail Event Logs' page is accessed, by default, NCPA refreshes its contents every 5 seconds in order to retrieve the latest entries from the Event Logs file. In addition to the default functionality, administrative users can also filter the logs by utilizing the 'Event Log Name' filter located in the upper-right corner of the 'Tail Event Logs' page. When a search term is entered, the application returns the logs [if any] based on the applied search term, and displays the entered term itself in the name element of the results page in order to let the user know which filter was applied.

Further examination of the aforementioned functionality, however, revealed that the value of the search term is set on the name element by using the jQuery .html() function. As a result, it is possible to execute arbitrary JavaScript code in the 'Tail Event Logs' page through the 'Event Log Name' filtering functionality. The following code snippets highlight the root cause analysis of the vulnerability.

Initially, the /tail HTTP endpoint is declared on lines 936-944 of the agent/listener/server.py file.

# File: agent/listener/server.py 
935:  
936: @listener.route('/tail') 
937: @requires_token_or_auth 
938: def tail(accessor=None): 
939:     info = { } 
940:  
941:     query_string = request.query_string 
942:     info['query_string'] = urllib.quote(query_string) 
943:  
944:     return render_template('tail.html', **info) 
945:

Then on lines 68-70 of the agent/listener/templates/tail.html file, the value of the name parameter is set to the name HTML element by using the jQuery .html() function.

// File: agent/listener/templates/tail.html
67:     $('.btn-apply').click(function() { 
68:         var name = $('input[name="name"]').val(); 
69:         query_string = "name=" + name; 
70:         $('.name').html(name); 
71:  
72:         // Restart the websocket 
73:         ws.close(); 
74:         logbody.html('<tr class="tbl-message"><td colspan="7">No logs have came in yet.</td></tr>'); 
75:         start_websocket(); 
76:     });

As an example, when the search term 'test' is applied, the application will attempt to retrieve any logs based on that search term, and update the name element with the query information: 'Filtered to test logs'. However, when the search term '<script>alert(1)</script>' is applied, the JavaScript alert() function is going to be executed, bringing up a dialog box with the value of 1, and demonstrating the execution of arbitrary JavaScript code.

Vulnerability Impact

An adversary could leverage this vulnerability to execute arbitrary JavaScript code in the context of an administrative NCPA user by tricking the user to enter a cross-site scripting (XSS) payload in the 'Tail Event Logs' page of the NCPA web interface. The attacker could then exfiltrate the NCPA community string, and gain administrative access on the NCPA web interface.

Resolution Recommendations

It is advised to set the value on the name element by using the jQuery .text() function.
@jomann09 jomann09 self-assigned this Dec 1, 2021
@jomann09 jomann09 added the Bug label Dec 1, 2021
@jomann09 jomann09 added this to the 2.4.0 milestone Dec 1, 2021
@jomann09
Copy link
Contributor

jomann09 commented Dec 1, 2021

Thanks for this, we will update it in 2.4.0 which should be out very soon.

@ericloyd
Copy link

ericloyd commented Dec 1, 2021

EverWatch has confirmed the vulnerability but not the CVE (https://nvd.nist.gov/vuln/detail/CVE-2021-43584) Is this a reserved CVE?

@iamaldi
Copy link
Author

iamaldi commented Dec 1, 2021
edited

Hello,

Yes, CVE-2021-43584 was reserved by CENSUS.

@jomann09
Copy link
Contributor

Closing this since it's fixed in maint, and will be in 2.4, which will be out shortly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jomann09 jomann09

Labels
Bug
Projects
None yet
Milestone
2.4.0
Development

No branches or pull requests
3 participants
@ericloyd @jomann09 @iamaldi