Nagios Support Forum

Version: Nagios XI 5.2.9

1) HTTP TRACE / TRACK Methods Allowed
The remote web server supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods that are used to debug web server connections.
> How can we disable it? Will it affect nagios XI operation?

2).svn/entries Disclosed via Web Server
The web server on the remote host allows read access to '.svn/entries' files. This exposes all file names in your svn module on your website. This flaw can also be used to download the source code of the scripts (PHP, JSP, etc...) hosted on the remote server.
>> How can we configure permissions for the affected web server to deny access to the '.svn' directory? Will this affect nagios xi operation?

3) Web Application Potentially Vulnerable to Clickjacking
The remote web server does not set an X-Frame-Options response header or a Content-Security-Policy 'frame-ancestors' response header in all content responses. This could potentially expose the site to a clickjacking or UI redress attack, in which an attacker can trick a user into clicking an area of the vulnerable page that is different than what the user perceives the page to be. This can result in a user performing fraudulent or malicious transactions.
X-Frame-Options has been proposed by Microsoft as a way to mitigate clickjacking attacks and is currently supported by all major browser vendors.
Content-Security-Policy (CSP) has been proposed by the W3C Web Application Security Working Group, with increasing support among all major browser vendors, as a way to mitigate clickjacking and other attacks. The 'frame-ancestors' policy directive restricts which sources can embed the protected resource.
Note that while the X-Frame-Options and Content-Security-Policy response headers are not the only mitigations for clickjacking, they are currently the most reliable methods that can be detected through automation. Therefore, this plugin may produce false positives if other mitigation strategies (e.g., frame-busting JavaScript) are deployed or if the page does not perform any security-sensitive transactions.

Solution
Return the X-Frame-Options or Content-Security-Policy (with the 'frame-ancestors' directive) HTTP header with the page's response.
This prevents the page's content from being rendered by another site when using the frame or iframe HTML tags.
How can we do this and will it affect the Nagios operation?

4) SSH Weak Algorithms Supported
Remote SSH server is configured to use the Arcfour stream cipher or no cipher at all. RFC 4253 advises against using Arcfour due to an issue with weak keys.
How can we remove the weak ciphers without affecting Nagios operation?

1, 2, and 4 are not necessarily vulnerabilities in XI itself, but are fairly easy to remedy and should not affect operation:

1.) Add the following lines to your /etc/httpd/conf.d/nagiosxi.conf file just below the line RewriteEngine On:
2.) Add the following lines to the top of your /etc/httpd/conf.d/nagiosxi.conf file:
then save and restart Apache with service httpd restart


4.) Review the information in the following article: http://security.stackexchange.com/quest ... centos-6-5

You or your team will need to determine which values are appropriate for your environment.



As for item 3, I will discuss this with the developers.

Can you provide any details for item 3? As the report states, there might be false positives due to the nature of those headers, and without some Poc (proof of concept) code it will be hard to tell if this was properly addressed or not.

tmcdonald wrote:Can you provide any details for item 3? As the report states, there might be false positives due to the nature of those headers, and without some Poc (proof of concept) code it will be hard to tell if this was properly addressed or not.

Hi,

Below are the output from the scan which I have replaced the actual hostname with 'hostname':

The following pages do not use a clickjacking mitigation response header and contain a clickable event :

- https://hostname/nagiosxi/about/
- https://hostname/nagiosxi/login.php

The following pages do not use a clickjacking mitigation response header and contain a clickable event :

- http://hostname/nagiosxi/about/
- http://hostname/nagiosxi/login.php

No response header, but I have been told we have a frame-buster in place, similar to: https://www.owasp.org/index.php/Clickja ... ing_Script

tmcdonald wrote:No response header, but I have been told we have a frame-buster in place, similar to: https://www.owasp.org/index.php/Clickja ... ing_Script

Hi,

Will you be able to provide me the command to get the proof so that i can close it.
thanks.

Speaking to the developers, they do plan on adding the appropriate headers in 5.3.0 when it gets released. For now though, it looks like the frame-buster is only applied to the login page. If you log out and save the following to a .htm file then load it in a browser, you will see the web interface break out of the frame. You will need to replace the URL/IP with your own:
This does not appear to affect the About page.

Hi,

I will wait for the new release 5.3.0 before closing this thread.
Thanks for the help so far!

Regards,
Rico Neo

Not a problem. I can't give an exact release date, but 5.3.0 is what we are currently focusing on releasing so it won't be long!