Thread: Re: [Nagios-devel] [Nagios-users] servicegroup overview not restricted for htaccess users
Nagios network monitoring software is enterprise server monitoring
Brought to you by:
egalstad,
sawolf-nagios
From: Jonas M. <jo...@fr...> - 2013-06-26 15:28:42
|
Hello again, Am 2013-05-13 18:02, schrieb Jonas Meurer: > Am 12.05.2013 11:25, schrieb Andreas Ericsson: >> On 2013-05-06 10:42, Jonas Meurer wrote: >>> I fear that I discovered a security issue in Nagios 3.4.4 >>> status.cgi: >>> >>> All htaccess users, even if not listed in any authorized_for_* >>> config >>> option, have full access to service group overview, summary and >>> grid: >>> /nagios/cgi-bin/status.cgi?servicegroup=all&style=overview >>> /nagios/cgi-bin/status.cgi?servicegroup=all&style=summary >>> /nagios/cgi-bin/status.cgi?servicegroup=all&style=grid >> >> It's a bit short on info. Servicegroups should be visible if the user >> is a contact for any service in the group. If a user who has no auth >> options and is not a contact for any service can see all >> servicegroups, >> then yes, that's potentially a security issue. > > You're nearly correct with the second assumption. Users which are > contact for _some_ services are able to see all services in service > group overview, summary and grid. > > This problem affects everyone who restricts nagios access by using > contacts. Unprivleged users are able to fetch the whole list of hosts > and services on the Nagios setup in question. I now prepared a patch to fix this security issue. You can find the patch (both for nagios4 git master branch and for nagios3.4.4 release) at the bug tracker (http://tracker.nagios.org/view.php?id=456). I suggest to incorporate the patch into a security update of Nagios 3.4. The issue is also reported to Debian BTS (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=714171). Kind regards, jonas PS: why do you always answer to the original sender only, keeping the discussion private? May I suggest that you reply both to sender and mailinglist in order to make the discussion public? PPS: Is there a reason that SVN hosts three nagios repositories (2x git: nagios-nagioscore, nagios-nagios, 1x svn: nagioscore) with only the git repository 'nagios-nagioscore' being up-to-date? This is rather confusing ;) |