Security Vulnerability Report about nagioscore HOT 11 CLOSED

Since the CGIs are written in C, using a session-based method would require a pretty big overhaul. As indicated in the link above, checking the Referer header can be effective in many cases. Not fool-proof, but much easier to implement than a whole session-management scheme.

from nagioscore.

Yes. I think it's difficult to do in C, But you must need to implement the CSRF token. Because this makes at least some protection for application. I don't think that Refer Header is good idea.

from nagioscore.

Hi Team, Could you please make this priority and fix this issue.

from nagioscore.

I agree that checking the Referer header is not ideal, and I have noted your concern. However if you want us to implement a complete HTTP session mechanism in C, this is not something that can be made a priority and implemented quickly. If we are going to take that route we either need to evaluate existing C libraries for session management or write our own, both of which will take some time.

Checking the Referer, while not as safe as a CSRF token based on the session, is much easier to implement and could be done on a shorter timeline. At the very least that would give some protection until we come up with a solution to the lack of sessions in C (if we decide to go down that path).

from nagioscore.

@madhuakula - In addition to what @tmcnag has mentioned, as this is a open source project, if you have a patch for this, please feel free to make a pull request and our maintainers would be glad to take a look at it.

Thanks!

from nagioscore.

Ok, Sure. I will let you know @scottwilkerson . Is the web Interface is based on php, I mean the authentication logic, and other things done in php?

from nagioscore.

I'm not sure I understand your question. All of the PoC you posted was for *.cgi files which are written in C. PHP does not come into play when calling those directly.

from nagioscore.

Got it, I will check if I can provide a fix. I am not sure, because the code is in C.

Thanks for quick response @tmcnag

from nagioscore.

Their are only a few php pages, almost all of the pages are served from C cgi's.

I will also add that we will not go down the route of checking referrers as thousands of installation actually also call the cgi's from other locations after passing auth credentials, as well as calling the cgi's from the CLI after setting the REMOTE_USER environment variable.

For now I'm going to close this issue, however feel free to reference it if you make a pull request

from nagioscore.

@scottwilkerson I think you should keep this in your roadmap at least. Because it's a security issue, If some attackers know about this, they can take advantage and do malicious activities like changing settings, deleting and adding notifications and other things. Nagios is used by all enterprises and all monitoring alerts and NOC & SOC team alerts based on this. If attacker misuse this vulnerability, he can get best of it using exploitation.

from nagioscore.

I did just want to add one more piece of information on this issue.

Admins can change what users have the ability to submit any commands, by changing the settings in the cgi.cfg.
https://assets.nagios.com/downloads/nagioscore/docs/nagioscore/4/en/configcgi.html

If the admin is concerned about CSRF Vulnerabilities for any or all users they can remove these users from the appropriate directives.

from nagioscore.