[Pkg-nagios-devel] Bug#288620: nagios-common: nagios CGI reveal potentially sensitive information

Jerome Alet Jerome Alet <Jerome.Alet@unice.fr>, 288620@bugs.debian.org
Tue, 04 Jan 2005 19:08:19 +0100

Package: nagios-common
Version: 2:1.3-0+pre6
Severity: critical
Tags: security
Justification: root security hole

not a root security problem, but anyway...

by clicking on "Process Info" in the Nagios CGI, at 
the bottom of the page appears the complete connection string to 
the database (I use PostgreSQL, but the problem is certainely the 
same with MySQL).

the connection string includes the password, if one is set.

this MAY give informations to people who may be allowed to
read Nagios screen without being allowed to directly connect
to the PostgreSQL database.

once connected directly to the database, such an user could
possibly cause damage and/or access other informations.

this is not a really big problem, but hiding at least the password
from the connection string would be better in my opinion.


Jerome Alet

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.4.27-1-686-smp
Locale: LANG=fr_FR@euro, LC_CTYPE=fr_FR@euro (charmap=ISO-8859-15) (ignored: LC_ALL set to fr_FR@euro)

Versions of packages nagios-common depends on:
ii  adduser          3.59                    Add and remove users and groups
ii  apache [httpd]   1.3.33-2                Versatile, high-performance HTTP s
ii  coreutils [fileu 5.2.1-2                 The GNU core utilities
ii  debconf [debconf               Debian configuration management sy
ii  fileutils        5.2.1-2                 The GNU file management utilities 
ii  mailx            1:8.1.2-0.20040524cvs-3 A simple mail user agent
ii  nagios-pgsql [na 2:1.3-0+pre6            A host/service/network monitoring 
ii  nagios-plugins              Plugins for the nagios network mon

-- debconf information:
  nagios/wwwsuid: true
* nagios/configapache: None