[Pkg-nagios-devel] Bug#288620: nagios-common: nagios CGI reveal potentially sensitive information

Martin Zobel-Helas Martin Zobel-Helas <mhelas@helas.net>, 288620@bugs.debian.org
Tue, 4 Jan 2005 21:40:28 +0100

Hi Jerome, hi Nagios-Maintainers

On Tuesday, 04 Jan 2005, you wrote:
> Package: nagios-common
> Version: 2:1.3-0+pre6
> Severity: critical
> Tags: security
> Justification: root security hole
> not a root security problem, but anyway...
> by clicking on "Process Info" in the Nagios CGI, at 
> the bottom of the page appears the complete connection string to 
> the database (I use PostgreSQL, but the problem is certainely the 
> same with MySQL).

I am using nagios-mysql 2:1.3-0+pre6 and i dont have this problem.

> the connection string includes the password, if one is set.

"And, you know, I mustn't preach to you, but surely it wouldn't be right for
you to take away people's pleasure of studying your attire, by just going
and making yourself like everybody else.  You feel that, don't you?"  said
he, earnestly.
		-- William Morris, "Notes from Nowhere"