Page 1 of 1
Notification Email Link Security
Posted: Tue Jun 14, 2016 2:49 pm
by hogwash
The links within the notification emails provide direct access in to our instance of NagiosXI. A simple URL change after clicking the link logs you directly in to the rest of the portal.
Is this by design? Is there a way to stop this behavior & limit the access that link has to the necessary functionality?
Thank you.
Re: Notification Email Link Security
Posted: Tue Jun 14, 2016 3:33 pm
by bwallace
Does this occur for everyone who receives a notification or a select few?
Are they Nagios XI users or just contacts? No way should contacts gain access to the XI UI...
https://assets.nagios.com/downloads/nag ... ntacts.pdf
Re: Notification Email Link Security
Posted: Tue Jun 14, 2016 3:55 pm
by rkennedy
I just checked on my end with that link, and confirmed it does indeed do a no password or API authentication. I've filed a bug report this, ID #8821.
Re: Notification Email Link Security
Posted: Wed Jun 15, 2016 10:51 am
by hogwash
Thank you muchly for the replies.
I can confirm this happens for all users, LDAP & local alike.
Pardon my newbness & thank you for filling the bug but two questions:
1) How do I track that bug & it's resolution?
2) Are there any work arounds in the mean time or should I just do away with these links in the notifications for now?
Thank you.
M
Re: Notification Email Link Security
Posted: Wed Jun 15, 2016 4:33 pm
by lmiltchev
Add the following line to the "/usr/local/nagiosxi/html/config.inc.php":
and restart apache:
When using the "new" response URL links (after the change), you will be asked to authenticate. Is this what you were looking for?