ANNOUNCE: Nagios Looking Glass 1.0.0#PRE is here!

Hans Wolters j.wolters at piramide.nl
Thu Dec 28 14:18:54 CET 2006


Hi Andy,


> You're not thinking about the architecture of how NLG works:

> Client-side - front user-interface (sits on any public webserver)  <-- 
> this is publicly available
> Server-side - back-end poller (sits on Nagios server) <-- this is what 
> should be authenticated

....

> If someone can provide me with a way in which NLG can be used to extract 
> data users wouldn't normally see through Nagios, then I'll be only too 
> happy to change how I feel.

Besides the question if webservices are available to the public or 
not I would like to explain why I posted my findings.

Part of my job is checking on security issues for products we might
want to use. You have stated that currently it is not a problem. True.
But consider the fact that this is a project in development. From my
experience one needs to make sure user input is sanitized since you
can't predict the excisting code wil not be expended in a case where
other url parameters might be read. Sanitizing is always a good idea.

As for people like me, I asume I'm not the only one, we tend to do 
security audits on code that we might want to use for our office or
even for our clients. I will always run a first check before installing
any solution. With possible problem's like input that is not sanitized
I tend to look for other products since it only costs me more time 
to to audit code that will have unsanitized parts.

Again, I am not stating it is insecure but it is my beleive it could
get insecure once a project is growing.

I will have the time to do a more specified audit in a few weeks. Will
let you know what my findings are.

Best regards,

Hans
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.monitoring-lists.org/archive/users/attachments/20061228/4703f017/attachment.html>
-------------- next part --------------
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
-------------- next part --------------
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null


More information about the Users mailing list