Rapid Response Link Security Bug
Rapid Response Link Security Bug
I just had a user that didn't have an account get a rapid response link forwarded over to him. He clicked on it and modified the url so that he would only hit the main site https://servername/nagiosxi/ website and it authenticated him as the user on the server.
Re: Rapid Response Link Security Bug
Using Nagios XI 2014R2.6
Re: Rapid Response Link Security Bug
This is somewhere between "Expected behavior" and "Probably unintended". By its very nature, the Rapid Response feature allows someone to receive a link that logs them in automatically. Protecting that link then becomes part of the security of the feature. The part I am unsure of is whether it should authenticate a user for that one page or for the interface in general. My expectation is that it would only be for a single page, but according to the developers this is currently the way it should work.
We discussed making this a "One key/token = one page" sort of deal, potentially with a "Only valid for X minutes" clause as well. But for right now, the "security bug" was forwarding the email. You can disable the auto-login URL so they are presented with the login page instead of automatically being logged in, but then it becomes the "Response" URL and not the "Rapid Response" URL.
We discussed making this a "One key/token = one page" sort of deal, potentially with a "Only valid for X minutes" clause as well. But for right now, the "security bug" was forwarding the email. You can disable the auto-login URL so they are presented with the login page instead of automatically being logged in, but then it becomes the "Response" URL and not the "Rapid Response" URL.
Former Nagios employee
Re: Rapid Response Link Security Bug
It definitely doesn't do it for just one page. How can I go about disabling the auto-login URL?
Re: Rapid Response Link Security Bug
Open the "/usr/local/nagiosxi/html/config.inc.php" file in a text editor and see if you can find the following line:
Change it to:
Save, exit and restart apache:
Setting it to 1 should force users to login in the response URL. Hope this helps.
Code: Select all
$cfg['secure_response_url']=0;Code: Select all
$cfg['secure_response_url']=1;Code: Select all
service httpd restartBe sure to check out our Knowledgebase for helpful articles and solutions!
Re: Rapid Response Link Security Bug
Seems to be currently commented and it states..
/********* DO NOT MODIFY ANYTHING BELOW THIS LINE **********/
// Secure notification %responseurl%
// setting this to 1 will force users to login in the response URL
// $cfg['secure_response_url']=1;
/********* DO NOT MODIFY ANYTHING BELOW THIS LINE **********/
// Secure notification %responseurl%
// setting this to 1 will force users to login in the response URL
// $cfg['secure_response_url']=1;
Re: Rapid Response Link Security Bug
That's exactly what we want to do, so you can safely remove the comments. Just keep in mind, this will prevent the auto-login.
Former Nagios employee
Re: Rapid Response Link Security Bug
I was finally able to get the test environment running with notifications to test this. Old URLs are no longer valid and the new one prompts for login screen. Thank you for the help on this. Feel free to lock... Scratch that.. Let me test abit more....
Re: Rapid Response Link Security Bug
This is correct. After making the changes in the config.inc.php, the old URLs shouldn't be valid and the new ones should prompt for credentials.Old URLs are no longer valid and the new one prompts for login screen.
No problem. We will keep this topic open for a while. Let us know if you run into some more issues. Thanks!Thank you for the help on this. Feel free to lock... Scratch that.. Let me test abit more....
Be sure to check out our Knowledgebase for helpful articles and solutions!
Re: Rapid Response Link Security Bug
Feel free to lock. 