servicegroup overview not restricted for htaccess users

Jonas Meurer jonas at freesources.org
Mon May 6 10:42:14 CEST 2013


Hello,

I fear that I discovered a security issue in Nagios 3.4.4 status.cgi:

All htaccess users, even if not listed in any authorized_for_* config 
option, have full access to service group overview, summary and grid:
/nagios/cgi-bin/status.cgi?servicegroup=all&style=overview
/nagios/cgi-bin/status.cgi?servicegroup=all&style=summary
/nagios/cgi-bin/status.cgi?servicegroup=all&style=grid

I hope that this is not intended. Is this issue known?

Kind regards,
  jonas


------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null





More information about the Users mailing list