> Hi,
>
> 06.11.2008 12:45, Andreas Ericsson wrote:
> ...
>> A couple of things to note:
>> * Information disclosure is not possible. No remote user can see
>> anything from your authentication-protected Nagios servers.
>
> I'm not sure this is correct... see what all the web 2.0 stuff is
> about - javascript executes http queries, captures the output, and
> does something with it.
>
No. Javascript and flash are protected by the same-site policy
(according to Tim Starling of the wikimedia foundation, who brought
this to some nagios-developer's attention), so they can't be made
to send stuff from nagios-server.example.com to evilsite.com.
> I guess it's possible for a javascript in Dr. Evils pages to get the
> cgi output without actually displaying it, and to forward the
> information collected to Dr. Evils web server.
Yes, but only from CGI's running on evilsite.com. Otherwise javascript
kiddies would be billionaires from ripping people off through online
banking or whatever.
> Don't ask for a sample exploit, please.
>
Well, if you can think one up, you'll have discovered a fundamental
problem in how javascript works (it will be browser-dependant) and
should definitely report it to the developers of that browser.
>> * Invalid commands read from the FIFO are always dropped flat by
>> Nagios.
>> * Since commands must be valid, it's not very easy to submit a
>> command that has all the information required. Social engineering
>> is required.
>> * You *will* notice if this happens to you, since you all of a
>> sudden will end up with cmd.cgi (not in a frame either) saying
>> "Command submitted successfully" or some such.
>
> See above - AJAXified web pages probably can prevent this.
>
Nopes. You see above
--
Andreas Ericsson [email protected]
OP5 AB www.op5.se
Tel: +46 8-230225 Fax: +46 8-230231
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]