Security vulnerabilities published at http://packetstormsecurity.org/files/115850/op5-xssxsrfsql.txt

1. SQL injection (http://en.wikipedia.org/wiki/SQL_injection)

These issues are due to insufficient sanitation of input parameters in ninja and could lead to
unwanted information disclosure and data manipulation in the database backend.
Since the database backend in op5 Monitor will be replaced by livestatus for all pages
in ninja (except for reports), this is a problem that will be removed when op5 Monitor 6.0
is released in november. This release is, however, planned to only run on RHEL/CentOS 6,
which means that the 5.7.x release is the last release supporting RHEL/CentOS 5, leading
to a lot of our customers being stuck on a release vulnerable to the reported SQL injection
issues. The solution from our side is to “backport” the livestatus backend to 5.7 once
op5 Monitor 6.0 is done since fixing the issues directly in the 5.7 branch will be too costly
in terms of development resources.

2. XSS injection (http://en.wikipedia.org/wiki/Cross-site_scripting)

These issues are somewhat related to the SQL injections descibed above but the vulnerabilities
are rather manifested by the injection of client side scripts usually resulting in elevated privileges
for a user on the target system.

The vulnerabilities can be categorised into 2 areas:

A: Unprivileged users
Users in op5 Monitor without access to nacoma (not sufficient rights to modify the config).
This vulnerability is already fixed in our code base and is available to our customers through yum as of 2012-08-28.

B: Privileged users
Users in op5 Monitor with access to nacoma (can modify the config).
These users have already been “trusted” by the organisation and this vulnerability should therefore
probably not be regarded as critical as the previous category.

Fixing the reported issues will require more work from our developers but we will focus on this in the coming weeks.
All these issues will be include in both the 5.7 and the 6.0 branches.