<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"> <META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7638.1"> <TITLE>RE: [Nagios-users] ANNOUNCE: Nagios Looking Glass 1.0.0#PRE is here!</TITLE> </HEAD> <BODY>  Hi Andy, > You're not thinking about the architecture of how NLG works: > Client-side - front user-interface (sits on any public webserver) <-- > this is publicly available > Server-side - back-end poller (sits on Nagios server) <-- this is what > should be authenticated .... > If someone can provide me with a way in which NLG can be used to extract > data users wouldn't normally see through Nagios, then I'll be only too > happy to change how I feel. Besides the question if webservices are available to the public or not I would like to explain why I posted my findings. Part of my job is checking on security issues for products we might want to use. You have stated that currently it is not a problem. True. But consider the fact that this is a project in development. From my experience one needs to make sure user input is sanitized since you can't predict the excisting code wil not be expended in a case where other url parameters might be read. Sanitizing is always a good idea. As for people like me, I asume I'm not the only one, we tend to do security audits on code that we might want to use for our office or even for our clients. I will always run a first check before installing any solution. With possible problem's like input that is not sanitized I tend to look for other products since it only costs me more time to to audit code that will have unsanitized parts. Again, I am not stating it is insecure but it is my beleive it could get insecure once a project is growing. I will have the time to do a more specified audit in a few weeks. Will let you know what my findings are. Best regards, Hans </BODY> </HTML>