Comments (11)
Since the CGIs are written in C, using a session-based method would require a pretty big overhaul. As indicated in the link above, checking the Referer header can be effective in many cases. Not fool-proof, but much easier to implement than a whole session-management scheme.
from nagioscore.
Yes. I think it's difficult to do in C, But you must need to implement the CSRF token. Because this makes at least some protection for application. I don't think that Refer Header is good idea.
from nagioscore.
Hi Team, Could you please make this priority and fix this issue.
from nagioscore.
I agree that checking the Referer header is not ideal, and I have noted your concern. However if you want us to implement a complete HTTP session mechanism in C, this is not something that can be made a priority and implemented quickly. If we are going to take that route we either need to evaluate existing C libraries for session management or write our own, both of which will take some time.
Checking the Referer, while not as safe as a CSRF token based on the session, is much easier to implement and could be done on a shorter timeline. At the very least that would give some protection until we come up with a solution to the lack of sessions in C (if we decide to go down that path).
from nagioscore.
@madhuakula - In addition to what @tmcnag has mentioned, as this is a open source project, if you have a patch for this, please feel free to make a pull request and our maintainers would be glad to take a look at it.
Thanks!
from nagioscore.
Ok, Sure. I will let you know @scottwilkerson . Is the web Interface is based on php, I mean the authentication logic, and other things done in php?
from nagioscore.
I'm not sure I understand your question. All of the PoC you posted was for *.cgi files which are written in C. PHP does not come into play when calling those directly.
from nagioscore.
Got it, I will check if I can provide a fix. I am not sure, because the code is in C.
Thanks for quick response @tmcnag
from nagioscore.
Their are only a few php pages, almost all of the pages are served from C cgi's.
I will also add that we will not go down the route of checking referrers as thousands of installation actually also call the cgi's from other locations after passing auth credentials, as well as calling the cgi's from the CLI after setting the REMOTE_USER environment variable.
For now I'm going to close this issue, however feel free to reference it if you make a pull request
from nagioscore.
@scottwilkerson I think you should keep this in your roadmap at least. Because it's a security issue, If some attackers know about this, they can take advantage and do malicious activities like changing settings, deleting and adding notifications and other things. Nagios is used by all enterprises and all monitoring alerts and NOC & SOC team alerts based on this. If attacker misuse this vulnerability, he can get best of it using exploitation.
from nagioscore.
I did just want to add one more piece of information on this issue.
Admins can change what users have the ability to submit any commands, by changing the settings in the cgi.cfg.
https://assets.nagios.com/downloads/nagioscore/docs/nagioscore/4/en/configcgi.html
If the admin is concerned about CSRF Vulnerabilities for any or all users they can remove these users from the appropriate directives.
from nagioscore.
Related Issues (20)
- Disable Event Handlers During Downtime HOT 1
- Updating Nagios Package on CentOS 7 failing HOT 18
- Type uint is undefined on musl HOT 2
- Offline installation hits infinite loop issue on startup HOT 2
- Failed to connect to /usr/local/nagios/var/rw/livestatus: Connection refused at /usr/share/thruk/lib/Monitoring/Livestatus/UNIX.pm line 72 HOT 17
- Create RPM package for Alma Linux 9
- failed to create pdf
- Nagios Core 4.5.2 "/usr/local/nagios/bin" directory not created HOT 2
- Nagios Core vulnerabilties HOT 1
- A user reported a Segfault whenever they try to access Nagvis or the Nagios map after upgrading (4.4.14 => 4.5.2) HOT 1
- 4.5.3 Release small in size (missing files) HOT 3
- modern map files are missing and the Map link points to the legacy one HOT 3
- Feature request: New Flapping Start only Notification option
- [QUESTION] Nagios Core Repo for RHEL next update?? HOT 2
- nagios host "Locate host on map" button dead
- Unauthorised error while accessing nagios core url
- trends.html and histogram.html gone in 4.5.3
- Trends and Alert Histogram links 404ing
- Feature request: Latching status HOT 1
- Feature request: Planned down host HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from nagioscore.