Nagios XI SQL Injection Vulnerability in Legacy Core Configuration Manager

A SQL injection vulnerability has been identified in Nagios XI versions prior to 2012R1.3, specifically within the legacy Core Configuration Manager (CCM) interface. This vulnerability allows authenticated users to manipulate SQL queries by injecting crafted input into certain CCM parameters. Exploitation of this vulnerability could lead to unauthorized access to configuration data in the application database, with the potential to disclose or modify notification information. In some cases, the exploitation could have a broader impact on the application database as a whole.

Impact

Exploitation of this vulnerability allows for SQL injection, which could be used to access, modify, or delete data in the application's database. This includes the possibility of unauthorized changes to Nagios XI's configuration or notification settings.

Reproduction

To reproduce this vulnerability, an authenticated user can navigate to the legacy Core Configuration Manager interface in a version of Nagios XI prior to 2012R1.3. Once there, the user can inject malicious SQL into specific parameters that are processed by the application's SQL query handler. This could be done by, for example, uploading a crafted MIB file that exploits the SQL injection vulnerability in the Manage MIBs page, or by using the Bulk Modifications Tool to introduce SQL injection through free variable definitions.

Remediation

Users can upgrade to Nagios XI version 2012R1.3 or later, where this vulnerability has been fixed.