[Secure-testing-team] Bug#714171: status.cgi lists unauthorized hosts and services in servicegroup view
Jonas Meurer
jonas at freesources.org
Wed Jun 26 15:11:27 UTC 2013
Package: nagios3-cgi
Version: 3.4.1-3
Severity: important
Tags: security patch
Hello,
I think that I discovered a security issue in status.cgi:
The servicegroup views (overview, summary, grid) in cgi-bin/status.c list
all hosts and services within a servicegroup. This is a security issue,
as hosts and services (at least their names) are leaked to unauthorized
users. Instead, the lists of hosts and services must contain only objects
that the user is authorized to see.
I already reported this issue upstream:
http://www.mail-archive.com/nagios-users@lists.sourceforge.net/msg39749.html
http://tracker.nagios.org/view.php?id=456
Now i prepared a patch to fix this issue: with the patch applied, the
servicegroup overview, summary and grid views list only hosts and services
that the user is authorized to see.
A (tested) debdiff is attached to this bugreport.
I suggest to push this security fix to stable through stable-security.
Kind regards,
jonas
-- System Information:
Debian Release: 7.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
-------------- next part --------------
A non-text attachment was scrubbed...
Name: nagios3_status_cgi_servicegroup.debdiff
Type: text/x-diff
Size: 2960 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20130626/332ed796/attachment.diff>
More information about the Secure-testing-team
mailing list