Nagios Support Forum

Support for Nagios products and services
https://support.nagios.com/forum/

NagiosXI vulnerabilities question

https://support.nagios.com/forum/viewtopic.php?t=44184

Page 1 of 1

NagiosXI vulnerabilities question

Posted: Tue Jun 06, 2017 8:59 am
by RockerMan
Hi

Our company is auditing network security resources. When scanning by Nessus on the NagiosXI server (CentOS 6.9), a "medium" vulnerability was detected.

Code: Select all

33821 (1) - .svn/entries Disclosed via Web Server
Synopsis
The remote web server discloses information due to a configuration weakness.
Description
The web server on the remote host allows read access to '.svn/entries' files. This exposes all file names in your svn module on your website. This flaw can also be used to download the source code of the scripts (PHP, JSP, etc...) hosted on the remote server.
Solution
Configure permissions for the affected web server to deny access to the '.svn' directory.
Risk Factor
Medium
Nessus was able to retrieve the contents of '.svn/entries' using the following URL :
 http://<our_IP_addr>/nagiosxi/includes/dashlets/rss_dashlet/.svn/entries
---
46803 (1) - PHP expose_php Information Disclosure
Synopsis
The configuration of PHP on the remote host allows disclosure of sensitive information.
Description
The PHP install on the remote server is configured in a way that allows disclosure of potentially sensitive information to an attacker through a special URL. Such a URL triggers an Easter egg built into PHP itself. 
Other such Easter eggs likely exist, but Nessus has not checked for them.
Solution
In the PHP configuration file, php.ini, set the value for 'expose_php' to 'Off' to disable this behavior. Restart the web server daemon to put this change into effect.
Risk Factor
Medium
Nessus was able to verify the issue using the following URL :
 http://<our_IP_addr>/nagiosxi/login.php/?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000
The solutions proposed by Nessus are not work. If, for example, in php.ini put "expose_php = off", then the all hosts on the Nagios Core and NagiosXI screen not showing.

Tell me please:
- how to eliminate the vulnerability in PHP?
- what permissions to the directory ".svn" and the file "entries" need to setup in order to eliminate the vulnerability?

Now they have such rights:

Code: Select all

# ls -al .../nagiosxi/html/includes/dashlets/rss_dashlet
drwxr-x---.  4 nagios nagios 4096 Oct 15  2013 .
drwxr-x---. 11 nagios nagios 4096 Jun  6 10:04 ..
...
drwxr-x---.  6 nagios nagios 4096 Oct 15  2013 .svn

Code: Select all

# ls -al .../nagiosxi/html/includes/dashlets/rss_dashlet/.svn
drwxr-x---. 6 nagios nagios 4096 Oct 15  2013 .
drwxr-x---. 4 nagios nagios 4096 Oct 15  2013 ..
...
-r-xr-x---. 1 nagios nagios  699 Oct 15  2013 entries
...
Best Regards

Re: NagiosXI vulnerabilities question

Posted: Tue Jun 06, 2017 12:22 pm
by dwhitfield
What version of XI are you using? That will help us track down any reports of security vulnerabilities. Thanks!

Re: NagiosXI vulnerabilities question

Posted: Wed Jun 07, 2017 1:38 am
by RockerMan
dwhitfield wrote:What version of XI are you using? That will help us track down any reports of security vulnerabilities. Thanks!
Sorry, NagiosXI v.5.4.5

Now the solution proposed by Nessus is work. Edit php.ini, wrote there expose_php = Off, it works. Apparently, it was necessary to restart the process of nagios in addition to restart apache.
For the second vulnerability, you forum already have a solution. I'm did not look first, post a topic at once, sorry, this is my mistake. Here is the address where the solution is the second vulnerability.

Thanks, topic can be closed.
Best Regards

Re: NagiosXI vulnerabilities question

Posted: Wed Jun 07, 2017 9:10 am
by dwhitfield
Thanks for the link! I'm sure it will help others!
All times are UTC-05:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited