Nagios core config manager SQL injection vulnerability
Description
A SQL injection vulnerability exists in the login functionality of Nagios Core Config Manager (NagiosQL), specifically affecting the password field during authentication. The application fails to properly validate or sanitize user input in the password parameter (tfPassword) before incorporating it into SQL queries. This flaw allows attackers to inject malicious SQL code that will be executed by the database server. This vulnerability was identified in the Nagios Core Config Manager component bundled with Nagios XI virtual appliances, accessible at http://<vmlocation>/nagiosql/index.php.
Remediation
Take the following steps to remediate this vulnerability:
1. Immediate Action:
• Upgrade Nagios XI to the latest version that includes a patched version of NagiosQL Core Config Manager (version 2012R1.3 or later based on the changelog)
• If immediate patching is not possible, restrict network access to the NagiosQL interface using firewall rules or web server access controls to trusted IP addresses only
2. Verify Remediation:
• After upgrading, test the login functionality to ensure SQL injection attempts are properly blocked
• Review database and application logs for any suspicious activity or unauthorized access attempts
• Reset all user passwords as a precautionary measure if exploitation is suspected
3. Long-term Prevention:
• Implement parameterized queries (prepared statements) for all database interactions. Example secure code pattern:
// Secure approach using parameterized queries
$stmt = $db->prepare("SELECT * FROM users WHERE username = ? AND password = ?");
$stmt->bind_param("ss", $username, $password_hash);
$stmt->execute();• Apply input validation and sanitization on all user-supplied data
• Implement the principle of least privilege for database accounts used by the application
• Enable web application firewall (WAF) rules to detect and block SQL injection attempts
• Conduct regular security assessments and code reviews of custom modifications