Notification Email Link Security

hogwash · Post by **hogwash** » Tue Jun 14, 2016 2:49 pm

The links within the notification emails provide direct access in to our instance of NagiosXI. A simple URL change after clicking the link logs you directly in to the rest of the portal.

Is this by design? Is there a way to stop this behavior & limit the access that link has to the necessary functionality?

Thank you.

bwallace · Post by **bwallace** » Tue Jun 14, 2016 3:33 pm

Does this occur for everyone who receives a notification or a select few?
Are they Nagios XI users or just contacts? No way should contacts gain access to the XI UI...

https://assets.nagios.com/downloads/nag ... ntacts.pdf

rkennedy · Post by **rkennedy** » Tue Jun 14, 2016 3:55 pm

I just checked on my end with that link, and confirmed it does indeed do a no password or API authentication. I've filed a bug report this, ID #8821.

hogwash · Post by **hogwash** » Wed Jun 15, 2016 10:51 am

Thank you muchly for the replies.

I can confirm this happens for all users, LDAP & local alike.

Pardon my newbness & thank you for filling the bug but two questions:

1) How do I track that bug & it's resolution?
2) Are there any work arounds in the mean time or should I just do away with these links in the notifications for now?

Thank you.
M

Post by **lmiltchev** » Wed Jun 15, 2016 4:33 pm

Add the following line to the "/usr/local/nagiosxi/html/config.inc.php":

Code: Select all

$cfg['secure_response_url']=1;

and restart apache:

Code: Select all

service httpd restart

When using the "new" response URL links (after the change), you will be asked to authenticate. Is this what you were looking for?

Nagios Support Forum

Notification Email Link Security

Notification Email Link Security

Re: Notification Email Link Security

Re: Notification Email Link Security

Re: Notification Email Link Security

Re: Notification Email Link Security