[Pkg-nagios-devel] Bug#288620: marked as done (nagios-common: nagios CGI reveal potentially sensitive information)

Debian Bug Tracking System owner@bugs.debian.org
Tue, 04 Jan 2005 15:03:24 -0800


Your message dated Tue, 04 Jan 2005 23:49:53 +0100
with message-id <87zmzo3j3i.fsf@vorlon.ganneff.de>
and subject line [Pkg-nagios-devel] Bug#288620: nagios-common: nagios CGI reveal potentially sensitive information
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 4 Jan 2005 18:09:28 +0000
>From jerome@servmediup.unice.fr Tue Jan 04 10:09:28 2005
Return-path: <jerome@servmediup.unice.fr>
Received: from taloa.unice.fr [134.59.1.7] 
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1Clt7X-0001hM-00; Tue, 04 Jan 2005 10:09:28 -0800
Received: from naxos.unice.fr (naxos.unice.fr [134.59.1.5])
          by taloa.unice.fr (8.12.10/jtpda-5.4) with ESMTP id j04I9F7g175847
          for <submit@bugs.debian.org>; Tue, 4 Jan 2005 19:09:25 +0100 (CET)
Received: from servmediup.unice.fr (mail@servmediup.unice.fr [134.59.57.1])
          by naxos.unice.fr (8.9.3/jtpda-5.3.3) with ESMTP id TAA305975
          ; Tue, 4 Jan 2005 19:08:20 +0100 (MET)
Received: from jerome by servmediup.unice.fr with local (Exim 3.36 #1 (Debian))
	id 1Clt6R-0000kT-00; Tue, 04 Jan 2005 19:08:19 +0100
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Jerome Alet <Jerome.Alet@unice.fr>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: nagios-common: nagios CGI reveal potentially sensitive information
X-Mailer: reportbug 3.2
Date: Tue, 04 Jan 2005 19:08:19 +0100
Message-Id: <E1Clt6R-0000kT-00@servmediup.unice.fr>
Sender: Jerome Alet <jerome@servmediup.unice.fr>
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 

Package: nagios-common
Version: 2:1.3-0+pre6
Severity: critical
Tags: security
Justification: root security hole


not a root security problem, but anyway...

by clicking on "Process Info" in the Nagios CGI, at 
the bottom of the page appears the complete connection string to 
the database (I use PostgreSQL, but the problem is certainely the 
same with MySQL).

the connection string includes the password, if one is set.

this MAY give informations to people who may be allowed to
read Nagios screen without being allowed to directly connect
to the PostgreSQL database.

once connected directly to the database, such an user could
possibly cause damage and/or access other informations.

this is not a really big problem, but hiding at least the password
from the connection string would be better in my opinion.

hth

Jerome Alet

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.4.27-1-686-smp
Locale: LANG=fr_FR@euro, LC_CTYPE=fr_FR@euro (charmap=ISO-8859-15) (ignored: LC_ALL set to fr_FR@euro)

Versions of packages nagios-common depends on:
ii  adduser          3.59                    Add and remove users and groups
ii  apache [httpd]   1.3.33-2                Versatile, high-performance HTTP s
ii  coreutils [fileu 5.2.1-2                 The GNU core utilities
ii  debconf [debconf 1.4.30.11               Debian configuration management sy
ii  fileutils        5.2.1-2                 The GNU file management utilities 
ii  mailx            1:8.1.2-0.20040524cvs-3 A simple mail user agent
ii  nagios-pgsql [na 2:1.3-0+pre6            A host/service/network monitoring 
ii  nagios-plugins   1.3.1.0-12              Plugins for the nagios network mon

-- debconf information:
  nagios/wwwsuid: true
  nagios/upgradefromnetsaint:
* nagios/configapache: None

---------------------------------------
Received: (at 288620-done) by bugs.debian.org; 4 Jan 2005 22:49:56 +0000
>From joerg@debian.org Tue Jan 04 14:49:56 2005
Return-path: <joerg@debian.org>
Received: from mail.ganneff.de (ganneff.de) [213.146.108.162] 
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1ClxUx-0006kF-00; Tue, 04 Jan 2005 14:49:55 -0800
Received: from localhost (localhost [127.0.0.1])
	by ganneff.de (Postfix) with ESMTP id 06815E0137
	for <288620-done@bugs.debian.org>; Tue,  4 Jan 2005 23:49:54 +0100 (CET)
Received: from ganneff.de ([127.0.0.1])
	by localhost (goliath2 [127.0.0.1]) (amavisd-new, port 10024)
	with LMTP id 08444-02-7 for <288620-done@bugs.debian.org>;
	Tue, 4 Jan 2005 23:49:53 +0100 (CET)
Received: from vorlon.ganneff.de (ganneff.ganneff.de [213.146.108.163])
	by ganneff.de (Postfix) with ESMTP id 5BC54E0136
	for <288620-done@bugs.debian.org>; Tue,  4 Jan 2005 23:49:53 +0100 (CET)
Mail-Copies-To: never
To: 288620-done@bugs.debian.org
Subject: Re: [Pkg-nagios-devel] Bug#288620: nagios-common: nagios CGI reveal potentially sensitive information
Organization: Goliath-BBS
In-Reply-To: <20050104213813.GA5619@mail.librelogiciel.com> (Jerome Alet's
	message of "Tue, 4 Jan 2005 22:38:13 +0100")
References: <E1Clt6R-0000kT-00@servmediup.unice.fr>
	<20050104204028.GA5546@jas.helas.net>
	<20050104213813.GA5619@mail.librelogiciel.com>
From: Joerg Jaspert <joerg@debian.org>
X-GPG-ID: 0x7E7B8AC9
X-GPG-FP: DF7D EB2F DB28 FD2B A9FB  FA6D 715E D6A0 7E7B 8AC9
X-message-flag: Formating hard disk. please wait...   10%...   20%...
Date: Tue, 04 Jan 2005 23:49:53 +0100
Message-ID: <87zmzo3j3i.fsf@vorlon.ganneff.de>
User-Agent: Gnus/5.110003 (No Gnus v0.3) Emacs/21.3.50 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
	micalg=pgp-sha1; protocol="application/pgp-signature"
X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at ganneff.de
Delivered-To: 288620-done@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 

--=-=-=

On 10159 March 1977, Jerome Alet wrote:

>> On Tuesday, 04 Jan 2005, you wrote:
>
>> > by clicking on "Process Info" in the Nagios CGI, at 
>> > the bottom of the page appears the complete connection string to 
>> > the database (I use PostgreSQL, but the problem is certainely the 
>> > same with MySQL).
>> 
>> I am using nagios-mysql 2:1.3-0+pre6 and i dont have this problem.
>
> Found !
>
> It was my bad, you can safely close this bug.
>
> In fact I had modified check_nagios_db to output these variables (I 
> removed the commented 'print') when I was setting it up, in case 
> something would went wrong, and I didn't realize that what I saw 
> was the first line of the output of this command.
>
> Once I had re-commented out the 'print' line, all was OK.
>
> Sorry for this guys, and thanks for your help.
>
> Jerome Alet

Closed, submitter error. :)

-- 
bye Joerg
<Sahneschnitter> Aquariophile: welches debian/ welche xfree version?
<Aquariophile> woody
<Aquariophile> Xfree version 86

--=-=-=
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Joerg Jaspert <joerg@debian.org> -- Debian Developer

iD8DBQBB2x2RcV7WoH57iskRAgwuAJ0XpGp7/ui5Q3GpzXOZNZEeNBgTJQCdE2Ti
5bkqczAra6Xx1HqBWOjJlPA=
=kqkl
-----END PGP SIGNATURE-----
--=-=-=--