[Pkg-nagios-devel] Bug#794976: nagios3: loads remote web resources
Matt Taggart
taggart at debian.org
Sat Aug 8 21:45:24 UTC 2015
Package: nagios3-cgi
Version: 3.5.1.dfsg-2+b1
Severity: wishlist
The main nagios webpage
/usr/share/nagios3/htdocs/index.php
loads
/usr/share/nagios3/htdocs/main.php
which cotains some javascript that loads
/usr/share/nagios3/htdocs/rss-feed.php
/usr/share/nagios3/htdocs/rss-newsfeed.php
which pull remote RSS feeds from
http://www.nagios.org/backend/feeds/corepromo
http://www.nagios.org/backend/feeds/frontpage/
This might be undesirable for a couple reasons:
1) it would reveal to a network evesdropper that a system has
nagios installed, which could prompt attacks.
2) it will fail if the server does not have a route to the internet
3) it uses a tiny amount of bandwidth
These are all relatively minor issues, but in general it would be
better if debian packages did not load remote resources (although it's
not strictly against policy) so I think this is only 'wishlist'
severity.
Thanks,
--
Matt Taggart
taggart at debian.org
More information about the Pkg-nagios-devel
mailing list