Basic Auth code bug in Nagios XI 5.5.11
Posted: Fri Apr 12, 2019 10:45 am
Hi,
We've just upgraded to Nagios XI 5.5.11 and experienced a bug in how the code deals with users authenticated via BasicAuth.
We use Apache's Mellon module to enable Single Sign On and so when a user signs in through SSO it sets the BasicAuth username header to whatever they authenticated as.
Nagios XI 5.5.11 then ignores the basic auth header and forces the user to use the local authentication system, which meant for us having to use the locally set password instead of our central AD based password used in the SSO process.
The bug in the code is as follows -
line 117 of /nagiosxi/html/includes/auth.inc.php has the check
which calls this function on line 250
The problem is that this line
will only ever return true or false, so the user lookup will fail
as it essentially ends up being get_user_id(1);
with the get_user_id() function being a database lookup of the username.
I've fixed this by changing the initial block of code to be
so the $remote_user is replaced with the actual username instead of just '1'.
We've just upgraded to Nagios XI 5.5.11 and experienced a bug in how the code deals with users authenticated via BasicAuth.
We use Apache's Mellon module to enable Single Sign On and so when a user signs in through SSO it sets the BasicAuth username header to whatever they authenticated as.
Nagios XI 5.5.11 then ignores the basic auth header and forces the user to use the local authentication system, which meant for us having to use the locally set password instead of our central AD based password used in the SSO process.
The bug in the code is as follows -
line 117 of /nagiosxi/html/includes/auth.inc.php has the check
Code: Select all
// HTTP basic authentication support
if ($remote_user = is_http_basic_authenticated()) {
$uid = get_user_id($remote_user);
Code: Select all
function is_http_basic_authenticated()
{
$remote_user = "";
if (isset($_SERVER["REMOTE_USER"])) {
$remote_user = $_SERVER["REMOTE_USER"];
}
if (!empty($remote_user)) {
return true;
} else {
return false;
}
}Code: Select all
$remote_user = is_http_basic_authenticated()Code: Select all
$uid = get_user_id($remote_user);with the get_user_id() function being a database lookup of the username.
I've fixed this by changing the initial block of code to be
Code: Select all
// HTTP basic authentication support
if ($remote_user = is_http_basic_authenticated()) {
#############
# added actual username variable - Mickey 12/04
#############
$remote_user = $_SERVER["REMOTE_USER"];
# ###########
$uid = get_user_id($remote_user);