-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Ton Voon schrieb:
> On 27 Oct 2008, at 08:51, Andreas Ericsson wrote:
>
>> The rest of the nagios-devel mailing list, you may want to mark this
>> thread as important, although an announce will be sent once the issues
>> Tim discovered have been fixed.
>
> I notice that there have been patches applied to Nagios for this
> issue, but it is not clear what the security issue is.
>
> Can you explain what the issue is, what the exposure is, and what the
> fix does?
>
> Ton
Hi Ton,
it was a possible Cross Site Request Forgery Attack against the cmd.cgi
which allows an authorized attacker to inject external commands to
nagios. In worst case the attacker might execute any shell code.
I don't want go deeper into this on public readable ressources. I've
tested the possible attack and it was evil enough for me to update as
soon as possible.
Regards,
Hendrik
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAkkSkXwACgkQlI0PwfxLQjlzAQCfQsTvMCCsFtWQOJD+FpRrw2gB
wk8An10v2Ilu/zvTb0mJUW2E//klmseT
=xWDE
-----END PGP SIGNATURE-----
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]