servicegroup overview not restricted for htaccess users
Andreas Ericsson
ae at op5.se
Sun May 12 11:25:35 CEST 2013
On 2013-05-06 10:42, Jonas Meurer wrote:
> Hello,
>
> I fear that I discovered a security issue in Nagios 3.4.4 status.cgi:
>
> All htaccess users, even if not listed in any authorized_for_* config
> option, have full access to service group overview, summary and grid:
> /nagios/cgi-bin/status.cgi?servicegroup=all&style=overview
> /nagios/cgi-bin/status.cgi?servicegroup=all&style=summary
> /nagios/cgi-bin/status.cgi?servicegroup=all&style=grid
>
> I hope that this is not intended. Is this issue known?
>
It's a bit short on info. Servicegroups should be visible if the user
is a contact for any service in the group. If a user who has no auth
options and is not a contact for any service can see all servicegroups,
then yes, that's potentially a security issue.
--
Andreas Ericsson andreas.ericsson at op5.se
OP5 AB www.op5.se
Tel: +46 8-230225 Fax: +46 8-230231
Considering the successes of the wars on alcohol, poverty, drugs and
terror, I think we should give some serious thought to declaring war
on peace.
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and
their applications. This 200-page book is written by three acclaimed
leaders in the field. The early access version is available now.
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue.
::: Messages without supporting info will risk being sent to /dev/null
More information about the Users
mailing list