[Pkg-nagios-devel] Bug#714171: status.cgi lists unauthorized hosts and services in servicegroup view

Jonas Meurer jonas at freesources.org
Wed Jun 26 15:11:27 UTC 2013


Package: nagios3-cgi
Version: 3.4.1-3
Severity: important
Tags: security patch

Hello,

I think that I discovered a security issue in status.cgi:

The servicegroup views (overview, summary, grid) in cgi-bin/status.c list
all hosts and services within a servicegroup. This is a security issue,
as hosts and services (at least their names) are leaked to unauthorized
users. Instead, the lists of hosts and services must contain only objects
that the user is authorized to see.
    
I already reported this issue upstream:
http://www.mail-archive.com/nagios-users@lists.sourceforge.net/msg39749.html
http://tracker.nagios.org/view.php?id=456

Now i prepared a patch to fix this issue: with the patch applied, the 
servicegroup overview, summary and grid views list only hosts and services
that the user is authorized to see.

A (tested) debdiff is attached to this bugreport.

I suggest to push this security fix to stable through stable-security.

Kind regards,
 jonas

-- System Information:
Debian Release: 7.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
-------------- next part --------------
A non-text attachment was scrubbed...
Name: nagios3_status_cgi_servicegroup.debdiff
Type: text/x-diff
Size: 2960 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-nagios-devel/attachments/20130626/332ed796/attachment.diff>


More information about the Pkg-nagios-devel mailing list