Andreas Ericsson wrote: > Andy Shellam (Mailing Lists) wrote: >> >> If you requested the full URL that's passed to the poller back-end, >> you'd find it extremely difficult to decipher it without the >> s3_class.inc.php file (as this is what the client front-end does) and >> to the average Joe it'd be a load of figures and numbers (sure you >> could base64 decode the relevant part of it, but it'd mean nothing >> without the s3_class.inc.php.) >> > > Correct me if I'm wrong, but s3_class.inc.php is publicly available, > no? Either way, securing against "the average Joe" is neither > difficult nor sufficient. Just worth considering. Yes, as I've answered before, - a) you'd need to know the application is in fact NLG, b) you'd need to know which file to use and what to do with it, c) you'd need the correct part of the returned code, d) you'd need to know it's a base64-encoded serialisation of the poller object, and at the end of the day, you should use HTTP authentication on the poller feed anyway.
Also as I've said before, the poller gives out nothing more than you can access through the front-end anyway (as it's designed to be a public interface) so it'd be a waste of time trying to crack the feed. I'm more worried about securing things like XSS attacks, which I'm pretty certain NLG is not vulnerable to as the GET variables are processed in some other way before-hand, they're not printed to the page verbatim. Thanks, -- Andy Shellam NetServe Support Team the Mail Network "an alternative in a standardised world" p: +44 (0) 121 288 0832/0839 m: +44 (0) 7818 000834 ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
