Re: [Nagios-devel] [Nagios-users] servicegroup overview not

Support forum for Nagios Core, Nagios Plugins, NCPA, NRPE, NSCA, NDOUtils and more. Engage with the community of users including those using the open source solutions.
Locked
Guest

Re: [Nagios-devel] [Nagios-users] servicegroup overview not

Post by Guest »

Hello again,

Am 2013-05-13 18:02, schrieb Jonas Meurer:
> Am 12.05.2013 11:25, schrieb Andreas Ericsson:
>> On 2013-05-06 10:42, Jonas Meurer wrote:
>>> I fear that I discovered a security issue in Nagios 3.4.4
>>> status.cgi:
>>>
>>> All htaccess users, even if not listed in any authorized_for_*
>>> config
>>> option, have full access to service group overview, summary and
>>> grid:
>>> /nagios/cgi-bin/status.cgi?servicegroup=all&style=overview
>>> /nagios/cgi-bin/status.cgi?servicegroup=all&style=summary
>>> /nagios/cgi-bin/status.cgi?servicegroup=all&style=grid
>>
>> It's a bit short on info. Servicegroups should be visible if the user
>> is a contact for any service in the group. If a user who has no auth
>> options and is not a contact for any service can see all
>> servicegroups,
>> then yes, that's potentially a security issue.
>
> You're nearly correct with the second assumption. Users which are
> contact for _some_ services are able to see all services in service
> group overview, summary and grid.
>
> This problem affects everyone who restricts nagios access by using
> contacts. Unprivleged users are able to fetch the whole list of hosts
> and services on the Nagios setup in question.

I now prepared a patch to fix this security issue. You can find the
patch (both for nagios4 git master branch and for nagios3.4.4 release)
at the bug tracker (http://tracker.nagios.org/view.php?id=456).

I suggest to incorporate the patch into a security update of Nagios 3.4.

The issue is also reported to Debian BTS
(http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=714171).

Kind regards,
jonas

PS: why do you always answer to the original sender only, keeping the
discussion private? May I suggest that you reply both to sender and
mailinglist in order to make the discussion public?

PPS: Is there a reason that SVN hosts three nagios repositories (2x git:
nagios-nagioscore, nagios-nagios, 1x svn: nagioscore) with only the git
repository 'nagios-nagioscore' being up-to-date? This is rather
confusing ;)





This post was automatically imported from historical nagios-devel mailing list archives
Original poster: jonas@freesources.org
Locked