Security issue
Hendrik Bäcker
andurin at process-zero.de
Thu Nov 6 07:41:00 CET 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Ton Voon schrieb:
> On 27 Oct 2008, at 08:51, Andreas Ericsson wrote:
>
>> The rest of the nagios-devel mailing list, you may want to mark this
>> thread as important, although an announce will be sent once the issues
>> Tim discovered have been fixed.
>
> I notice that there have been patches applied to Nagios for this
> issue, but it is not clear what the security issue is.
>
> Can you explain what the issue is, what the exposure is, and what the
> fix does?
>
> Ton
Hi Ton,
it was a possible Cross Site Request Forgery Attack against the cmd.cgi
which allows an authorized attacker to inject external commands to
nagios. In worst case the attacker might execute any shell code.
I don't want go deeper into this on public readable ressources. I've
tested the possible attack and it was evil enough for me to update as
soon as possible.
Regards,
Hendrik
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAkkSkXwACgkQlI0PwfxLQjlzAQCfQsTvMCCsFtWQOJD+FpRrw2gB
wk8An10v2Ilu/zvTb0mJUW2E//klmseT
=xWDE
-----END PGP SIGNATURE-----
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
More information about the Developers
mailing list