Security issue

Hendrik BŠäcker andurin at process-zero.de
Thu Nov 6 07:41:00 CET 2008

Previous message: Security issue
Next message: Security issue
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Ton Voon schrieb:
> On 27 Oct 2008, at 08:51, Andreas Ericsson wrote:
> 
>> The rest of the nagios-devel mailing list, you may want to mark this
>> thread as important, although an announce will be sent once the issues
>> Tim discovered have been fixed.
> 
> I notice that there have been patches applied to Nagios for this  
> issue, but it is not clear what the security issue is.
> 
> Can you explain what the issue is, what the exposure is, and what the  
> fix does?
> 
> Ton


Hi Ton,

it was a possible Cross Site Request Forgery Attack against the cmd.cgi
which allows an authorized attacker to inject external commands to
nagios. In worst case the attacker might execute any shell code.

I don't want go deeper into this on public readable ressources. I've
tested the possible attack and it was evil enough for me to update as
soon as possible.

Regards,
Hendrik
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iEYEARECAAYFAkkSkXwACgkQlI0PwfxLQjlzAQCfQsTvMCCsFtWQOJD+FpRrw2gB
wk8An10v2Ilu/zvTb0mJUW2E//klmseT
=xWDE
-----END PGP SIGNATURE-----

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

Previous message: Security issue
Next message: Security issue
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Developers mailing list