ANNOUNCE: Nagios Looking Glass 1.0.0#PRE is here!

[Andy Shellam (Mailing Lists)]

John P. Rouillard wrote:
> In message <459301E4.3090206 at mailnetwork.co.uk>,
> "Andy Shellam (Mailing Lists)" writes:
>   
>> Doesn't sound rude at all, after all this is why it's a beta.
>> The only test that I think needs to be done is to check if $_GET['fid'] 
>> is a number.
>>
>> If it was to a database I'd definitely make it more secure, but there is 
>> no way you can forcibly pass a parameter to NLG.
>> Because the content is rendered (and URLs built) by JavaScript, if you 
>> added ?fid=<whatever> to the query string, the JS ignores it and uses 
>> whatever values it holds internally (which are set when you do a select 
>> in the filter dropdown, and on initial load are set to 0.)
>>     
>
> If the javascript is on the client side, then I have access to the
> code and enough info to create my own URL. Then what stops me from
> creating any URL and sending it to NLG by hand?
>   
 From the client-side, the URL that's built in the JavaScript comes out to:

"?view=server&fid=1&gid=3"

That's the most info you'll get out of the JS - pass that to the 
s3_client.php page and you'll get an un-styled, plain format of the page 
that's rendered when you click on a "Server" link.
What benefit is there (to a normal user or a hacker) of wanting to 
change the fid and gid?  They do nothing except choose which data you 
want to get back to the client front-end.

If you replaced fid or gid with an invalid group or filter, you won't 
get any valid data back.
>> If you requested the full URL that's passed to the poller back-end, 
>> you'd find it extremely difficult to decipher it without the 
>> s3_class.inc.php file (as this is what the client front-end does) and to 
>> the average Joe it'd be a load of figures and numbers (sure you could 
>> base64 decode the relevant part of it, but it'd mean nothing without the 
>> s3_class.inc.php.)
>>     
>
> Correct me if I am wrong, but you are giving away the source including
> the php files needed to decode things.
>   
I'm talking about if a user/hacker connected directly to the poller 
script, he wouldn't necessarily know what the software application is 
that's running, or even which files he needed to use from the distribution.
>   
>> Also if you passed an invalid filter to the poller, I believe (off the 
>> top of my head) it'd set it to 0 anyway.  Either that, or it'd just 
>> return no servers.
>>
>> And you should setup HTTP authentication to the poller's back-end script 
>> so your average Joe can't access it without the correct username and 
>> password anyway.
>>     
>
> If the plan is for this to be a safe read only interface compared to
> the standard nagios cgi's, I may very well want to deploy it without
> authentication.
>   
You're not thinking about the architecture of how NLG works:

Client-side - front user-interface (sits on any public webserver)  <-- 
this is publicly available
Server-side - back-end poller (sits on Nagios server) <-- this is what 
should be authenticated
>   
>> For 1.0.0 I'll add the check to make sure the parameters are integers, 
>> but in the end I think it's a case of much ado about nothing.
>>     
>
> Hmm, well thanks for making the change, too bad you feel that way.
>   
If someone can provide me with a way in which NLG can be used to extract 
data users wouldn't normally see through Nagios, then I'll be only too 
happy to change how I feel.

-- 
Andy Shellam
NetServe Support Team

the Mail Network
"an alternative in a standardised world"

p: +44 (0) 121 288 0832/0839
m: +44 (0) 7818 000834


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null