[Nagios-users] servicegroup overview not restricted for htaccess users

Jonas Meurer jonas at freesources.org
Wed Jun 26 17:27:27 CEST 2013

Previous message: empty arguments bug in ePN (#88)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello again,

Am 2013-05-13 18:02, schrieb Jonas Meurer:
> Am 12.05.2013 11:25, schrieb Andreas Ericsson:
>> On 2013-05-06 10:42, Jonas Meurer wrote:
>>> I fear that I discovered a security issue in Nagios 3.4.4
>>> status.cgi:
>>> 
>>> All htaccess users, even if not listed in any authorized_for_*
>>> config
>>> option, have full access to service group overview, summary and
>>> grid:
>>> /nagios/cgi-bin/status.cgi?servicegroup=all&style=overview
>>> /nagios/cgi-bin/status.cgi?servicegroup=all&style=summary
>>> /nagios/cgi-bin/status.cgi?servicegroup=all&style=grid
>> 
>> It's a bit short on info. Servicegroups should be visible if the user
>> is a contact for any service in the group. If a user who has no auth
>> options and is not a contact for any service can see all
>> servicegroups,
>> then yes, that's potentially a security issue.
> 
> You're nearly correct with the second assumption. Users which are
> contact for _some_ services are able to see all services in service
> group overview, summary and grid.
> 
> This problem affects everyone who restricts nagios access by using
> contacts. Unprivleged users are able to fetch the whole list of hosts
> and services on the Nagios setup in question.

I now prepared a patch to fix this security issue. You can find the 
patch (both for nagios4 git master branch and for nagios3.4.4 release) 
at the bug tracker (http://tracker.nagios.org/view.php?id=456).

I suggest to incorporate the patch into a security update of Nagios 3.4.

The issue is also reported to Debian BTS 
(http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=714171).

Kind regards,
  jonas

PS: why do you always answer to the original sender only, keeping the 
discussion private? May I suggest that you reply both to sender and 
mailinglist in order to make the discussion public?

PPS: Is there a reason that SVN hosts three nagios repositories (2x git: 
nagios-nagioscore, nagios-nagios, 1x svn: nagioscore) with only the git 
repository 'nagios-nagioscore' being up-to-date? This is rather 
confusing ;)

------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev

Previous message: empty arguments bug in ePN (#88)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Developers mailing list