On 2013-05-06 10:42, Jonas Meurer wrote: > Hello, > > I fear that I discovered a security issue in Nagios 3.4.4 status.cgi: > > All htaccess users, even if not listed in any authorized_for_* config > option, have full access to service group overview, summary and grid: > /nagios/cgi-bin/status.cgi?servicegroup=all&style=overview > /nagios/cgi-bin/status.cgi?servicegroup=all&style=summary > /nagios/cgi-bin/status.cgi?servicegroup=all&style=grid > > I hope that this is not intended. Is this issue known? >
It's a bit short on info. Servicegroups should be visible if the user is a contact for any service in the group. If a user who has no auth options and is not a contact for any service can see all servicegroups, then yes, that's potentially a security issue. -- Andreas Ericsson andreas.erics...@op5.se OP5 AB www.op5.se Tel: +46 8-230225 Fax: +46 8-230231 Considering the successes of the wars on alcohol, poverty, drugs and terror, I think we should give some serious thought to declaring war on peace. ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may _______________________________________________ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null