[Pkg-nagios-devel] Bug#288620: nagios-common: nagios CGI reveal potentially sensitive information
Jerome Alet
Jerome Alet <Jerome.Alet@unice.fr>, 288620@bugs.debian.org
Tue, 04 Jan 2005 19:08:19 +0100
Package: nagios-common
Version: 2:1.3-0+pre6
Severity: critical
Tags: security
Justification: root security hole
not a root security problem, but anyway...
by clicking on "Process Info" in the Nagios CGI, at
the bottom of the page appears the complete connection string to
the database (I use PostgreSQL, but the problem is certainely the
same with MySQL).
the connection string includes the password, if one is set.
this MAY give informations to people who may be allowed to
read Nagios screen without being allowed to directly connect
to the PostgreSQL database.
once connected directly to the database, such an user could
possibly cause damage and/or access other informations.
this is not a really big problem, but hiding at least the password
from the connection string would be better in my opinion.
hth
Jerome Alet
-- System Information:
Debian Release: 3.1
APT prefers testing
APT policy: (500, 'testing'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.4.27-1-686-smp
Locale: LANG=fr_FR@euro, LC_CTYPE=fr_FR@euro (charmap=ISO-8859-15) (ignored: LC_ALL set to fr_FR@euro)
Versions of packages nagios-common depends on:
ii adduser 3.59 Add and remove users and groups
ii apache [httpd] 1.3.33-2 Versatile, high-performance HTTP s
ii coreutils [fileu 5.2.1-2 The GNU core utilities
ii debconf [debconf 1.4.30.11 Debian configuration management sy
ii fileutils 5.2.1-2 The GNU file management utilities
ii mailx 1:8.1.2-0.20040524cvs-3 A simple mail user agent
ii nagios-pgsql [na 2:1.3-0+pre6 A host/service/network monitoring
ii nagios-plugins 1.3.1.0-12 Plugins for the nagios network mon
-- debconf information:
nagios/wwwsuid: true
nagios/upgradefromnetsaint:
* nagios/configapache: None