Security issue

[Ton Voon]

On 6 Nov 2008, at 21:51, Tobias Scherbaum wrote:
> What about Nagios-2? I guess it is affected too, will there be patches
> as well?

I've looked at the effects on Opsview's patched Nagios 2.10 and I can  
confirm that other commands can get run with a carefully crafted POST  
query.

I've patched Nagios 2 so that linefeeds cause an error (http://trac.opsview.org/browser/trunk/opsview-base/patches/nagios_cgi_encoded_linefeeds.patch?rev=1653 
) and I've also disabled all the CHANGE_* commands that reference  
check commands (http://trac.opsview.org/browser/trunk/opsview-base/patches/nagios_block_external_change_commands.patch?rev=1653 
). For some reason, it looks like those external commands don't work  
anyway - Nagios writes a corrupted value into retention.dat for the  
new check command, which suggests this functionality was broken at  
some point (though that could be due to some local patch we've applied).

There's the session handling portion, which I've decided to not  
backport for now.

There's another component, which is the large change of the handling  
of commands in cmd.cgi. Andreas says "vulnerabilities [...] resulted  
in cmd.cgi potentially accepting commands from low-privileged users  
that those users should not have been able to submit". However, I  
don't quite understand why this is required yet. Any additional  
explanation here?

Great work from the community on this!

Ton


-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/