Hi all,
i have found a security issue risk in Nagios XI....
If you forward an email of some services to your collegues, take this one for example :
***** Nagios XI Alert *****
Nagios has detected a problem with this service.
Notification Type: PROBLEM
Service: Memory Usage
Host: NameHost
Address: IPhost
State: WARNING
Info:
WARNING: Free memory percentage is less than or equal to 10%: 7% (73 MiB)
Date/Time: 25/06/2013 11:42:47
Respond: http://nagiosIP/nagiosxi//rr.php?uid=50 ... 6433ebce54
Nagios URL: http://nagiosIP/nagiosxi/
If you click on first link and than copy/paste the second link on the same window you are logged on Nagios XI without knowing username / password !!!!!
Security Issue - Nagios XI
-
sreinhardt
- -fno-stack-protector
- Posts: 4366
- Joined: Mon Nov 19, 2012 12:10 pm
Re: Security Issue - Nagios XI
Actually this is entirely intentional. This is part of the rapid response page for XI. You can presently remove the link from notifications if you wish. Otherwise in the next release there will be a config option to send them to a normal login page instead of autologin.
Edit: I shouldn't say that the ability for your colleagues to login as you is intentional. But it does contain part of your backend api key that is used for authentication. The effect when the normal recipient uses the link, however is intentional.
Edit: I shouldn't say that the ability for your colleagues to login as you is intentional. But it does contain part of your backend api key that is used for authentication. The effect when the normal recipient uses the link, however is intentional.
Nagios-Plugins maintainer exclusively, unless you have other C language bugs with open-source nagios projects, then I am happy to help! Please pm or use other communication to alert me to issues as I no longer track the forum.