Re: [Nagios-devel] Security issue

[Guest]

On 6 Nov 2008, at 21:51, Tobias Scherbaum wrote:
> What about Nagios-2? I guess it is affected too, will there be patches
> as well?

I've looked at the effects on Opsview's patched Nagios 2.10 and I can
confirm that other commands can get run with a carefully crafted POST
query.

I've patched Nagios 2 so that linefeeds cause an error (http://trac.opsview.org/browser/trunk/o ... h?rev=1653
) and I've also disabled all the CHANGE_* commands that reference
check commands (http://trac.opsview.org/browser/trunk/o ... h?rev=1653
). For some reason, it looks like those external commands don't work
anyway - Nagios writes a corrupted value into retention.dat for the
new check command, which suggests this functionality was broken at
some point (though that could be due to some local patch we've applied).

There's the session handling portion, which I've decided to not
backport for now.

There's another component, which is the large change of the handling
of commands in cmd.cgi. Andreas says "vulnerabilities [...] resulted
in cmd.cgi potentially accepting commands from low-privileged users
that those users should not have been able to submit". However, I
don't quite understand why this is required yet. Any additional
explanation here?

Great work from the community on this!

Ton






This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]