servicegroup overview not restricted for htaccess users

[Andreas Ericsson]

On 2013-05-06 10:42, Jonas Meurer wrote:
> Hello,
>
> I fear that I discovered a security issue in Nagios 3.4.4 status.cgi:
>
> All htaccess users, even if not listed in any authorized_for_* config
> option, have full access to service group overview, summary and grid:
> /nagios/cgi-bin/status.cgi?servicegroup=all&style=overview
> /nagios/cgi-bin/status.cgi?servicegroup=all&style=summary
> /nagios/cgi-bin/status.cgi?servicegroup=all&style=grid
>
> I hope that this is not intended. Is this issue known?
>

It's a bit short on info. Servicegroups should be visible if the user
is a contact for any service in the group. If a user who has no auth
options and is not a contact for any service can see all servicegroups,
then yes, that's potentially a security issue.

-- 
Andreas Ericsson                   andreas.ericsson at op5.se
OP5 AB                             www.op5.se
Tel: +46 8-230225                  Fax: +46 8-230231

Considering the successes of the wars on alcohol, poverty, drugs and
terror, I think we should give some serious thought to declaring war
on peace.

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and 
their applications. This 200-page book is written by three acclaimed 
leaders in the field. The early access version is available now. 
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null