Hello Andreas, Am 12.05.2013 11:25, schrieb Andreas Ericsson: > On 2013-05-06 10:42, Jonas Meurer wrote: >> Hello, >> >> I fear that I discovered a security issue in Nagios 3.4.4 >> status.cgi: >> >> All htaccess users, even if not listed in any authorized_for_* >> config >> option, have full access to service group overview, summary and >> grid: >> /nagios/cgi-bin/status.cgi?servicegroup=all&style=overview >> /nagios/cgi-bin/status.cgi?servicegroup=all&style=summary >> /nagios/cgi-bin/status.cgi?servicegroup=all&style=grid >> >> I hope that this is not intended. Is this issue known? >> > > It's a bit short on info. Servicegroups should be visible if the user > is a contact for any service in the group. If a user who has no auth > options and is not a contact for any service can see all > servicegroups, > then yes, that's potentially a security issue.
You're nearly correct with the second assumption. Users which are contact for _some_ services are able to see all services in service group overview, summary and grid. This problem affects everyone who restricts nagios access by using contacts. Unprivleged users are able to fetch the whole list of hosts and services on the Nagios setup in question. Kind regards, jonas ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may _______________________________________________ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
