[Nagios-users] servicegroup overview not restricted for htaccess users
Jonas Meurer
jonas at freesources.org
Wed Jun 26 17:27:27 CEST 2013
Hello again,
Am 2013-05-13 18:02, schrieb Jonas Meurer:
> Am 12.05.2013 11:25, schrieb Andreas Ericsson:
>> On 2013-05-06 10:42, Jonas Meurer wrote:
>>> I fear that I discovered a security issue in Nagios 3.4.4
>>> status.cgi:
>>>
>>> All htaccess users, even if not listed in any authorized_for_*
>>> config
>>> option, have full access to service group overview, summary and
>>> grid:
>>> /nagios/cgi-bin/status.cgi?servicegroup=all&style=overview
>>> /nagios/cgi-bin/status.cgi?servicegroup=all&style=summary
>>> /nagios/cgi-bin/status.cgi?servicegroup=all&style=grid
>>
>> It's a bit short on info. Servicegroups should be visible if the user
>> is a contact for any service in the group. If a user who has no auth
>> options and is not a contact for any service can see all
>> servicegroups,
>> then yes, that's potentially a security issue.
>
> You're nearly correct with the second assumption. Users which are
> contact for _some_ services are able to see all services in service
> group overview, summary and grid.
>
> This problem affects everyone who restricts nagios access by using
> contacts. Unprivleged users are able to fetch the whole list of hosts
> and services on the Nagios setup in question.
I now prepared a patch to fix this security issue. You can find the
patch (both for nagios4 git master branch and for nagios3.4.4 release)
at the bug tracker (http://tracker.nagios.org/view.php?id=456).
I suggest to incorporate the patch into a security update of Nagios 3.4.
The issue is also reported to Debian BTS
(http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=714171).
Kind regards,
jonas
PS: why do you always answer to the original sender only, keeping the
discussion private? May I suggest that you reply both to sender and
mailinglist in order to make the discussion public?
PPS: Is there a reason that SVN hosts three nagios repositories (2x git:
nagios-nagioscore, nagios-nagios, 1x svn: nagioscore) with only the git
repository 'nagios-nagioscore' being up-to-date? This is rather
confusing ;)
------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:
Build for Windows Store.
http://p.sf.net/sfu/windows-dev2dev
More information about the Developers
mailing list