CVE-2019-20197

Step 1: Authentication: The attacker must first authenticate to the Nagios XI web interface. This requires valid credentials.

Step 2: Payload Delivery: The attacker crafts a malicious request to schedulereport.php. The id parameter within this request is crafted to include shell metacharacters and the desired OS command (e.g., id; whoami).

Step 3: Command Injection: The schedulereport.php script processes the request. Due to the lack of input validation, the shell metacharacters in the id parameter are not escaped or filtered.

Step 4: Command Execution: The script constructs and executes a system command that includes the attacker-supplied id parameter. The shell interprets the metacharacters, executing the attacker's command.

Step 5: Result Retrieval (Optional): Depending on the command, the attacker might retrieve the results of their command execution, potentially through a file write, network connection, or other means.

The vulnerability lies within the schedulereport.php script in Nagios XI 5.6.9. Specifically, the script fails to properly sanitize the id parameter before passing it to a system command execution function. The lack of input validation allows an attacker to inject shell metacharacters (e.g., ;, |, &, $()) into the id parameter. These metacharacters are then interpreted by the underlying operating system's shell, allowing the attacker to execute arbitrary commands with the privileges of the web server user (typically www-data or similar). The root cause is a command injection vulnerability due to insufficient input sanitization. The script likely constructs a shell command using the unsanitized id parameter, leading to the execution of attacker-controlled code.