ANNOUNCE: Nagios Looking Glass 1.0.0#PRE is here!
Andy Shellam (Mailing Lists)
andy.shellam-lists at mailnetwork.co.uk
Thu Dec 28 08:27:13 CET 2006
John P. Rouillard wrote:
> In message <459301E4.3090206 at mailnetwork.co.uk>,
> "Andy Shellam (Mailing Lists)" writes:
>
>> Doesn't sound rude at all, after all this is why it's a beta.
>> The only test that I think needs to be done is to check if $_GET['fid']
>> is a number.
>>
>> If it was to a database I'd definitely make it more secure, but there is
>> no way you can forcibly pass a parameter to NLG.
>> Because the content is rendered (and URLs built) by JavaScript, if you
>> added ?fid=<whatever> to the query string, the JS ignores it and uses
>> whatever values it holds internally (which are set when you do a select
>> in the filter dropdown, and on initial load are set to 0.)
>>
>
> If the javascript is on the client side, then I have access to the
> code and enough info to create my own URL. Then what stops me from
> creating any URL and sending it to NLG by hand?
>
From the client-side, the URL that's built in the JavaScript comes out to:
"?view=server&fid=1&gid=3"
That's the most info you'll get out of the JS - pass that to the
s3_client.php page and you'll get an un-styled, plain format of the page
that's rendered when you click on a "Server" link.
What benefit is there (to a normal user or a hacker) of wanting to
change the fid and gid? They do nothing except choose which data you
want to get back to the client front-end.
If you replaced fid or gid with an invalid group or filter, you won't
get any valid data back.
>> If you requested the full URL that's passed to the poller back-end,
>> you'd find it extremely difficult to decipher it without the
>> s3_class.inc.php file (as this is what the client front-end does) and to
>> the average Joe it'd be a load of figures and numbers (sure you could
>> base64 decode the relevant part of it, but it'd mean nothing without the
>> s3_class.inc.php.)
>>
>
> Correct me if I am wrong, but you are giving away the source including
> the php files needed to decode things.
>
I'm talking about if a user/hacker connected directly to the poller
script, he wouldn't necessarily know what the software application is
that's running, or even which files he needed to use from the distribution.
>
>> Also if you passed an invalid filter to the poller, I believe (off the
>> top of my head) it'd set it to 0 anyway. Either that, or it'd just
>> return no servers.
>>
>> And you should setup HTTP authentication to the poller's back-end script
>> so your average Joe can't access it without the correct username and
>> password anyway.
>>
>
> If the plan is for this to be a safe read only interface compared to
> the standard nagios cgi's, I may very well want to deploy it without
> authentication.
>
You're not thinking about the architecture of how NLG works:
Client-side - front user-interface (sits on any public webserver) <--
this is publicly available
Server-side - back-end poller (sits on Nagios server) <-- this is what
should be authenticated
>
>> For 1.0.0 I'll add the check to make sure the parameters are integers,
>> but in the end I think it's a case of much ado about nothing.
>>
>
> Hmm, well thanks for making the change, too bad you feel that way.
>
If someone can provide me with a way in which NLG can be used to extract
data users wouldn't normally see through Nagios, then I'll be only too
happy to change how I feel.
--
Andy Shellam
NetServe Support Team
the Mail Network
"an alternative in a standardised world"
p: +44 (0) 121 288 0832/0839
m: +44 (0) 7818 000834
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue.
::: Messages without supporting info will risk being sent to /dev/null
More information about the Users
mailing list