ANNOUNCE: Nagios Looking Glass 1.0.0#PRE is here!

Andy Shellam (Mailing Lists) andy.shellam-lists at mailnetwork.co.uk
Wed Jan 3 13:10:31 CET 2007


Andreas Ericsson wrote:
> Andy Shellam (Mailing Lists) wrote:
>>
>> If you requested the full URL that's passed to the poller back-end, 
>> you'd find it extremely difficult to decipher it without the 
>> s3_class.inc.php file (as this is what the client front-end does) and 
>> to the average Joe it'd be a load of figures and numbers (sure you 
>> could base64 decode the relevant part of it, but it'd mean nothing 
>> without the s3_class.inc.php.)
>>
>
> Correct me if I'm wrong, but s3_class.inc.php is publicly available, 
> no? Either way, securing against "the average Joe" is neither 
> difficult nor sufficient. Just worth considering.
Yes, as I've answered before, - a) you'd need to know the application is 
in fact NLG, b) you'd need to know which file to use and what to do with 
it, c) you'd need the correct part of the returned code, d) you'd need 
to know it's a base64-encoded serialisation of the poller object, and at 
the end of the day, you should use HTTP authentication on the poller 
feed anyway.

Also as I've said before, the poller gives out nothing more than you can 
access through the front-end anyway (as it's designed to be a public 
interface) so it'd be a waste of time trying to crack the feed.
I'm more worried about securing things like XSS attacks, which I'm 
pretty certain NLG is not vulnerable to as the GET variables are 
processed in some other way before-hand, they're not printed to the page 
verbatim.

Thanks,

-- 
Andy Shellam
NetServe Support Team

the Mail Network
"an alternative in a standardised world"

p: +44 (0) 121 288 0832/0839
m: +44 (0) 7818 000834


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null





More information about the Users mailing list