[Nagios-devel] CGI path disclosure
Posted: Mon Oct 04, 2004 5:34 am
This is a multi-part message in MIME format.
--------------080004070400080403040602
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Ahoy.
A few of the cgi's print path and names to the logfiles they show. I
suspect this is a debugging easter egg.
While providing little real value for an authorized user, it gives a
potential attacker information about the system. That's always a Bad Thing.
Attached are two patches. One which completely removes the printing of
the logfile name, and one which de-canonicalizes the name and prints
only the actual filename without the leading path.
--
Andreas Ericsson [email protected]
OP5 AB www.op5.se
Lead Developer
--------------080004070400080403040602
Content-Type: text/plain;
name="nagios-cgi_path_disclosure_cutpath.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="nagios-cgi_path_disclosure_cutpath.diff"
diff -urN nagios.orig/cgi/cgiutils.c nagios/cgi/cgiutils.c
--- nagios.orig/cgi/cgiutils.c 2004-08-11 05:10:04.000000000 +0200
+++ nagios/cgi/cgiutils.c 2004-10-04 15:24:38.000000000 +0200
@@ -1584,6 +1584,7 @@
void display_nav_table(char *url,int archive){
char date_time[MAX_DATETIME_LENGTH];
char archive_file[MAX_INPUT_BUFFER];
+ char *archive_basename;
if(log_rotation_method!=LOG_ROTATION_NONE){
printf("\n");
@@ -1636,8 +1637,16 @@
printf("\n");
}
+ /* get archive to use */
get_log_archive_to_use(archive,archive_file,sizeof(archive_file)-1);
- printf("File: %s\n",archive_file);
+
+ /* cut the pathname for security, and the remaining slash for clarity */
+ archive_basename=(char *)&archive_file;
+ if(strrchr((char *)&archive_basename, '/')!=NULL)
+ archive_basename=strrchr((char *)&archive_file, '/')+1;
+
+ /* now it's safe to print the filename */
+ printf("File: %s\n",archive_basename);
return;
}
--------------080004070400080403040602
Content-Type: text/plain;
name="nagios-cgi_path_disclosure_noprint.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="nagios-cgi_path_disclosure_noprint.diff"
diff -urN nagios.orig/cgi/cgiutils.c nagios/cgi/cgiutils.c
--- nagios.orig/cgi/cgiutils.c 2004-08-11 05:10:04.000000000 +0200
+++ nagios/cgi/cgiutils.c 2004-10-04 14:36:43.000000000 +0200
@@ -1636,9 +1636,6 @@
printf("\n");
}
- get_log_archive_to_use(archive,archive_file,sizeof(archive_file)-1);
- printf("File: %s\n",archive_file);
-
return;
}
--------------080004070400080403040602--
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]
--------------080004070400080403040602
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Ahoy.
A few of the cgi's print path and names to the logfiles they show. I
suspect this is a debugging easter egg.
While providing little real value for an authorized user, it gives a
potential attacker information about the system. That's always a Bad Thing.
Attached are two patches. One which completely removes the printing of
the logfile name, and one which de-canonicalizes the name and prints
only the actual filename without the leading path.
--
Andreas Ericsson [email protected]
OP5 AB www.op5.se
Lead Developer
--------------080004070400080403040602
Content-Type: text/plain;
name="nagios-cgi_path_disclosure_cutpath.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="nagios-cgi_path_disclosure_cutpath.diff"
diff -urN nagios.orig/cgi/cgiutils.c nagios/cgi/cgiutils.c
--- nagios.orig/cgi/cgiutils.c 2004-08-11 05:10:04.000000000 +0200
+++ nagios/cgi/cgiutils.c 2004-10-04 15:24:38.000000000 +0200
@@ -1584,6 +1584,7 @@
void display_nav_table(char *url,int archive){
char date_time[MAX_DATETIME_LENGTH];
char archive_file[MAX_INPUT_BUFFER];
+ char *archive_basename;
if(log_rotation_method!=LOG_ROTATION_NONE){
printf("\n");
@@ -1636,8 +1637,16 @@
printf("\n");
}
+ /* get archive to use */
get_log_archive_to_use(archive,archive_file,sizeof(archive_file)-1);
- printf("File: %s\n",archive_file);
+
+ /* cut the pathname for security, and the remaining slash for clarity */
+ archive_basename=(char *)&archive_file;
+ if(strrchr((char *)&archive_basename, '/')!=NULL)
+ archive_basename=strrchr((char *)&archive_file, '/')+1;
+
+ /* now it's safe to print the filename */
+ printf("File: %s\n",archive_basename);
return;
}
--------------080004070400080403040602
Content-Type: text/plain;
name="nagios-cgi_path_disclosure_noprint.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="nagios-cgi_path_disclosure_noprint.diff"
diff -urN nagios.orig/cgi/cgiutils.c nagios/cgi/cgiutils.c
--- nagios.orig/cgi/cgiutils.c 2004-08-11 05:10:04.000000000 +0200
+++ nagios/cgi/cgiutils.c 2004-10-04 14:36:43.000000000 +0200
@@ -1636,9 +1636,6 @@
printf("\n");
}
- get_log_archive_to_use(archive,archive_file,sizeof(archive_file)-1);
- printf("File: %s\n",archive_file);
-
return;
}
--------------080004070400080403040602--
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]