Possible server path disclosure on showlog.cgi

This forum is intended for the discussion of Nagios Core development. Feature requests, patches, bug fixes, and all types of development-related discussions are welcome!

NOTE: The SourceForge.net nagios-devel mailing list has been deprecated in favor of this forum in order to expedite support and provide additional features not available on the old mailing list.

Possible server path disclosure on showlog.cgi

Postby rajatbel » Wed May 15, 2019 3:20 am

Sensitive data like "/usr/local/nagios/var/nagios.log" is seen on paged displayed with showlog.cgi
One or more fully qualified path names were found on this page.
From this information the attacker may learn the file system structure from the web server. This information can be used to conduct further attacks.
please prevent this information and others from being displayed to the user .
rajatbel
 
Posts: 2
Joined: Tue May 14, 2019 5:31 am

Re: Possible server path disclosure on showlog.cgi

Postby scottwilkerson » Wed May 15, 2019 6:36 am

This would be behind basic authentication where only people with credentials could access.
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
User avatar
scottwilkerson
DevOps Engineer
 
Posts: 15398
Joined: Tue Nov 15, 2011 3:11 pm
Location: Nagios Enterprises


Return to Nagios Core Development

Who is online

Users browsing this forum: No registered users and 3 guests