NagiosXI User Identity Usurped by Acknowledgement URL

[uidaho]

Hello,

First, it is my understanding that the URL that in an alert/notification email is user specific. If a recipient uses that URL to acknowledge an alert, it is marked as acknowledged by that user. This leads into my second question and area of concern.

One of our users forwarded an email to me that he had received from Nagios. I clicked on his URL and, without providing credentials of any kind, became that user in the NagiosXI interface. This raises obvious security concerns that we would like to quantify before moving forward with our implementation. Under what conditions can/should that ever happen? Is it possible a user could usurp the identity of a higher privileged user by obtaining one of their acknowledgement URL's ?

Please let me know if you have questions about any specifics...

thank you,
Clint

[sreinhardt]

Yes, it is entirely possible to become logged in as a higher privileged user if that user passes on an email to someone else. There is a configuration option to disable rapid response url though. As of 2012R2.3, there is a configuration option to disable the auto login, and instead forward to a login page that then sends to the service page to acknowledge the issue. You can enable this via modifying the /usr/local/nagiosxi/html/config.inc.php to include the line below:

Code: Select all

$cfg['secure_response_url']=1;

[abrist]

Is it possible a user could usurp the identity of a higher privileged user by obtaining one of their acknowledgement URL's ?

Yes. The url includes a ticket # for the user on the XI backend. This is for rapid response, and is primarily a convenience issue. Follow Spencer's suggestion to disable it if your environment cannot guarantee the security of the emails.

[uidaho]

Thank you, I will pass this info along!