servicegroup overview not restricted for htaccess users
Jonas Meurer
jonas at freesources.org
Mon May 6 10:42:14 CEST 2013
Hello,
I fear that I discovered a security issue in Nagios 3.4.4 status.cgi:
All htaccess users, even if not listed in any authorized_for_* config
option, have full access to service group overview, summary and grid:
/nagios/cgi-bin/status.cgi?servicegroup=all&style=overview
/nagios/cgi-bin/status.cgi?servicegroup=all&style=summary
/nagios/cgi-bin/status.cgi?servicegroup=all&style=grid
I hope that this is not intended. Is this issue known?
Kind regards,
jonas
------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue.
::: Messages without supporting info will risk being sent to /dev/null
More information about the Users
mailing list