Security issue

[Arno Lehmann]

Hi,

06.11.2008 12:45, Andreas Ericsson wrote:
...
> A couple of things to note:
> * Information disclosure is not possible. No remote user can see
>   anything from your authentication-protected Nagios servers.

I'm not sure this is correct... see what all the web 2.0 stuff is 
about - javascript executes http queries, captures the output, and 
does something with it.

I guess it's possible for a javascript in Dr. Evils pages to get the 
cgi output without actually displaying it, and to forward the 
information collected to Dr. Evils web server. Don't ask for a sample 
exploit, please.

> * Invalid commands read from the FIFO are always dropped flat by
>   Nagios.
> * Since commands must be valid, it's not very easy to submit a
>   command that has all the information required. Social engineering
>   is required.
> * You *will* notice if this happens to you, since you all of a
>   sudden will end up with cmd.cgi (not in a frame either) saying
>   "Command submitted successfully" or some such.

See above - AJAXified web pages probably can prevent this.

> 
> Hope that clears things up a bit.

Arno

-- 
Arno Lehmann
IT-Service Lehmann
Sandstr. 6, 49080 Osnabrück
www.its-lehmann.de

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/