[Pkg-nagios-devel] Bug#504894: SA32610: Nagios "cmd.cgi" Cross-Site Request Forgery
Raphael Geissert
atomo64 at gmail.com
Fri Nov 7 20:12:01 UTC 2008
Package: nagios3
Severity: grave
Tags: security patch
Hi,
The following SA (Secunia Advisory) id was published for Nagios.
SA32610[1]:
> Andreas Ericsson has discovered a vulnerability in Nagios, which can be
> exploited by malicious people to conduct cross-site request forgery
> attacks.
>
> The application allows users to perform certain actions via HTTP requests
> to "cmd.cgi" without performing any validity checks to verify the request.
> This can be exploited to execute certain Nagios commands (e.g. to disable
> notifications) when a logged-in administrator visits a malicious web site.
>
> The vulnerability is confirmed in version 3.0.5. Other versions may also be
> affected.
A proposed patch is available at [2].
If you fix the vulnerability please also make sure to include the SA id (or
the CVE id when one is assigned) in the changelog entry.
[1]http://secunia.com/Advisories/32610/
[2]http://git.op5.org/git/?p=nagios.git;a=commit;h=814d8d4d1a73f7151eeed187c0667585d79fea18
Cheers,
--
Raphael Geissert - Debian Maintainer
www.debian.org - get.debian.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
Url : http://lists.alioth.debian.org/pipermail/pkg-nagios-devel/attachments/20081107/a11e85d9/attachment.pgp
More information about the Pkg-nagios-devel
mailing list