Nagios Support Forum

Hi guys,

Recently our security team has detected the above vulnerability for Nagios Core monitoring webpage. Is there an existing solution we can apply to address that?

Thank you

Can you give an example? Also, what version of Nagios Core are you using?

Using Nagios Core 4.4.3

The team noted that it was possible to capture the login page of the application within a HTML frame of another page as well as all the keystrokes that are entered by the user. In addition, it was also possible to authenticate the web application within the HTML frame. The team also noted that there was no ‘X-Frame-Options’ header in the HTTP response.

sugardaddyz wrote:The team noted that it was possible to capture the login page of the application within a HTML frame

They must be mistaken, because there isn't a login page in the application, it just used Basic Authentication.

Hi Scott,

When accessing Nagios core webpage. A basic authentication box will pop up, then we will login to reach nagios core homepage.

We tried this using an iframe, we are able to capture the basic authentication box pop up too.

If we enabled xframe deny all on httpd, nagios core webpage willl not be able to show. Is there any way to allow nagios core ui to function as normal with xframe deny all enabled ?

sugardaddyz wrote:Is there any way to allow nagios core ui to function as normal with xframe deny all enabled ?

No because Nagios displays it's content within frames.

If you disabled it just for the index.php page it should work, but the rest of the pages need to be able to display in a frame