servicegroup overview not restricted for htaccess users

Jonas Meurer jonas at freesources.org
Mon May 13 18:02:43 CEST 2013


Hello Andreas,

Am 12.05.2013 11:25, schrieb Andreas Ericsson:
> On 2013-05-06 10:42, Jonas Meurer wrote:
>> Hello,
>>
>> I fear that I discovered a security issue in Nagios 3.4.4 
>> status.cgi:
>>
>> All htaccess users, even if not listed in any authorized_for_* 
>> config
>> option, have full access to service group overview, summary and 
>> grid:
>> /nagios/cgi-bin/status.cgi?servicegroup=all&style=overview
>> /nagios/cgi-bin/status.cgi?servicegroup=all&style=summary
>> /nagios/cgi-bin/status.cgi?servicegroup=all&style=grid
>>
>> I hope that this is not intended. Is this issue known?
>>
>
> It's a bit short on info. Servicegroups should be visible if the user
> is a contact for any service in the group. If a user who has no auth
> options and is not a contact for any service can see all 
> servicegroups,
> then yes, that's potentially a security issue.

You're nearly correct with the second assumption. Users which are
contact for _some_ services are able to see all services in service
group overview, summary and grid.

This problem affects everyone who restricts nagios access by using
contacts. Unprivleged users are able to fetch the whole list of hosts
and services on the Nagios setup in question.

Kind regards,
  jonas


------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and 
their applications. This 200-page book is written by three acclaimed 
leaders in the field. The early access version is available now. 
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null





More information about the Users mailing list