Nagios Support Forum

Support for Nagios products and services
https://support.nagios.com/forum/

Security Issue - Nagios XI

https://support.nagios.com/forum/viewtopic.php?t=11328

Page 1 of 1

Security Issue - Nagios XI

Posted: Mon Jul 29, 2013 8:26 am
by twigg0
Hi all,
i have found a security issue risk in Nagios XI....
If you forward an email of some services to your collegues, take this one for example :

***** Nagios XI Alert *****

Nagios has detected a problem with this service.

Notification Type: PROBLEM

Service: Memory Usage
Host: NameHost
Address: IPhost
State: WARNING
Info:
WARNING: Free memory percentage is less than or equal to 10%: 7% (73 MiB)
Date/Time: 25/06/2013 11:42:47

Respond: http://nagiosIP/nagiosxi//rr.php?uid=50 ... 6433ebce54
Nagios URL: http://nagiosIP/nagiosxi/

If you click on first link and than copy/paste the second link on the same window you are logged on Nagios XI without knowing username / password !!!!!

Re: Security Issue - Nagios XI

Posted: Mon Jul 29, 2013 10:51 am
by sreinhardt
Actually this is entirely intentional. This is part of the rapid response page for XI. You can presently remove the link from notifications if you wish. Otherwise in the next release there will be a config option to send them to a normal login page instead of autologin.

Edit: I shouldn't say that the ability for your colleagues to login as you is intentional. But it does contain part of your backend api key that is used for authentication. The effect when the normal recipient uses the link, however is intentional.
All times are UTC-05:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited