A SQL Injection vulnerability in Nagios Incident Manager (component of Nagios XI) before 2.2.7 allows authenticated attackers to inject additional SQL statements via the incident_id
parameter.
“Resolve network incidents, collaborate with team members, and track incident history”. For more information visit https://www.nagios.com/products/nagios-incident-manager/.
The Nagios XI API /nagiosxi/includes/components/nagiosim/nagiosim.php
allows interaction with Nagios IM through the file nagiosxi/basedir/html/includes/components/nagiosim/nagiosim.php
:
|
|
Since incident_id
is never sanitized nor validated, an attacker can exploit the SQL injection to get hold of the information in the database in use by Nagios XI.
/nagiosxi/includes/components/nagiosim/nagiosim.php?mode=update&token=[your api token]&incident_id=1'union%20select%201,2,3,4,5,6,7,8,'x
using the logged-in sessionAn authenticated attacker can get hold of the information in the database in use by Nagios XI.
Upgrade to Nagios IM 2.2.7 or later. (Note: we didn’t verify the patch.)
This report was subject to Shielder’s disclosure policy:
`polict` of Shielder
This advisory was first published on https://www.shielder.com/advisories/nagiosim-incident_id-sql-injection/
Date
10 April 2019