Security issue

Andreas Ericsson ae at op5.se
Fri Nov 7 09:33:16 CET 2008

Previous message: Security issue
Next message: Security issue
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Arno Lehmann wrote:
> Hi,
> 
> 06.11.2008 12:45, Andreas Ericsson wrote:
> ...
>> A couple of things to note:
>> * Information disclosure is not possible. No remote user can see
>>   anything from your authentication-protected Nagios servers.
> 
> I'm not sure this is correct... see what all the web 2.0 stuff is 
> about - javascript executes http queries, captures the output, and 
> does something with it.
> 

No. Javascript and flash are protected by the same-site policy
(according to Tim Starling of the wikimedia foundation, who brought
this to some nagios-developer's attention), so they can't be made
to send stuff from nagios-server.example.com to evilsite.com.

> I guess it's possible for a javascript in Dr. Evils pages to get the 
> cgi output without actually displaying it, and to forward the 
> information collected to Dr. Evils web server.

Yes, but only from CGI's running on evilsite.com. Otherwise javascript
kiddies would be billionaires from ripping people off through online
banking or whatever.

> Don't ask for a sample exploit, please.
> 

Well, if you can think one up, you'll have discovered a fundamental
problem in how javascript works (it will be browser-dependant) and
should definitely report it to the developers of that browser.

>> * Invalid commands read from the FIFO are always dropped flat by
>>   Nagios.
>> * Since commands must be valid, it's not very easy to submit a
>>   command that has all the information required. Social engineering
>>   is required.
>> * You *will* notice if this happens to you, since you all of a
>>   sudden will end up with cmd.cgi (not in a frame either) saying
>>   "Command submitted successfully" or some such.
> 
> See above - AJAXified web pages probably can prevent this.
> 

Nopes. You see above ;-)

-- 
Andreas Ericsson                   andreas.ericsson at op5.se
OP5 AB                             www.op5.se
Tel: +46 8-230225                  Fax: +46 8-230231

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

Previous message: Security issue
Next message: Security issue
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Developers mailing list