Hi,
06.11.2008 12:45, Andreas Ericsson wrote:
...
> A couple of things to note:
> * Information disclosure is not possible. No remote user can see
> anything from your authentication-protected Nagios servers.
I'm not sure this is correct... see what all the web 2.0 stuff is
about - javascript executes http queries, captures the output, and
does something with it.
I guess it's possible for a javascript in Dr. Evils pages to get the
cgi output without actually displaying it, and to forward the
information collected to Dr. Evils web server. Don't ask for a sample
exploit, please.
> * Invalid commands read from the FIFO are always dropped flat by
> Nagios.
> * Since commands must be valid, it's not very easy to submit a
> command that has all the information required. Social engineering
> is required.
> * You *will* notice if this happens to you, since you all of a
> sudden will end up with cmd.cgi (not in a frame either) saying
> "Command submitted successfully" or some such.
See above - AJAXified web pages probably can prevent this.
>
> Hope that clears things up a bit.
Arno
--
Arno Lehmann
IT-Service Lehmann
Sandstr. 6, 49080 Osnabrück
www.its-lehmann.de
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]