[PATCH 1/3] Prevent cross-site request forgeries

Andreas Ericsson ae at op5.se
Fri Nov 7 11:25:16 CET 2008

Previous message: nagios 3.0.5: PATCH: comment BUG
Next message: [PATCH 2/3] Print a newline to the FIFO when submitting commands
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This patch implements basic in-form session tokens for cmd.cgi.
When a user is presented with the 'commit' button, a session
token consisting of a SHA1 hash made up of the users' name,
their source address and some few random numbers (seeded with
a very weak seed atm, but that can be fixed later). The session
data is stored on-disk in files named by the session ID, like so:

   /tmp/.ncgi-form-session-tokens/<SHA1>

When we're about to write the command to Nagios, we check if
the user has a valid session before allowing the command to
go through. This ensures the user arrived at the command
submission page from a where he or she actively pressed the
"Commit" button.

Evil sites can still send unsuspecting Nagios admins to the
commit button, but unless that Nagios admin is thoroughly
stupid, he or she will not press it. Since we aren't guarding
against stupidity, this fix will do just fine.

Because form session tokens is a new invention in the world
of the Nagios CGI's, some users will have problems with it.
To facilitate the primary help channel (nagios-users@), we
tell the user (briefly) what went wrong when submitting a
command in case the form session token failed to validate.

Reported-by: Tim Starling <tstarling at wikimedia.org>
Signed-off-by: Andreas Ericsson <ae at op5.se>
---
 cgi/Makefile.in    |    7 +-
 cgi/cmd.c          |   22 +++-
 cgi/form_session.c |  432 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 cgi/form_session.h |    5 +
 cgi/sha1.c         |  151 ++++++++++++++++++
 cgi/sha1.h         |   50 ++++++
 6 files changed, 664 insertions(+), 3 deletions(-)
 create mode 100644 cgi/form_session.c
 create mode 100644 cgi/form_session.h
 create mode 100644 cgi/sha1.c
 create mode 100644 cgi/sha1.h


-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0d0cc7c51a6306a95eed9a597ac9c538d2d1f41f.diff
Type: text/x-patch
Size: 19596 bytes
Desc: not available
URL: <https://www.monitoring-lists.org/archive/developers/attachments/20081107/f2d0bc3f/attachment.bin>
-------------- next part --------------
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
-------------- next part --------------
_______________________________________________
Nagios-devel mailing list
Nagios-devel at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-devel

Previous message: nagios 3.0.5: PATCH: comment BUG
Next message: [PATCH 2/3] Print a newline to the FIFO when submitting commands
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Developers mailing list