Package: nagios3-cgi
Version: 3.4.1-3
Severity: important
Tags: security patch
Hello,
I think that I discovered a security issue in status.cgi:
The servicegroup views (overview, summary, grid) in cgi-bin/status.c list
all hosts and services within a servicegroup. This is a security issue,
as hosts and services (at least their names) are leaked to unauthorized
users. Instead, the lists of hosts and services must contain only objects
that the user is authorized to see.
I already reported this issue upstream:
http://www.mail-archive.com/nagios-users@lists.sourceforge.net/msg39749.html
http://tracker.nagios.org/view.php?id=456
Now i prepared a patch to fix this issue: with the patch applied, the
servicegroup overview, summary and grid views list only hosts and services
that the user is authorized to see.
A (tested) debdiff is attached to this bugreport.
I suggest to push this security fix to stable through stable-security.
Kind regards,
jonas
-- System Information:
Debian Release: 7.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
diff -u nagios3-3.4.1/debian/changelog nagios3-3.4.1/debian/changelog
--- nagios3-3.4.1/debian/changelog
+++ nagios3-3.4.1/debian/changelog
@@ -1,3 +1,11 @@
+nagios3 (3.4.1-3.1) unstable; urgency=low
+
+ * Non-maintainer upload.
+ * Stop status.cgi from listing unauthorized hosts and services in
+ servicegroup view.
+
+ -- Jonas Meurer <jo...@freesources.org> Wed, 26 Jun 2013 16:44:56 +0200
+
nagios3 (3.4.1-3) unstable; urgency=low
* Fix several overflows in getcgi.cgi and history.cgi
diff -u nagios3-3.4.1/debian/patches/00list nagios3-3.4.1/debian/patches/00list
--- nagios3-3.4.1/debian/patches/00list
+++ nagios3-3.4.1/debian/patches/00list
@@ -11,0 +12 @@
+99_security_status_cgi_servicegroup.dpatch
only in patch2:
unchanged:
--- nagios3-3.4.1.orig/debian/patches/99_security_status_cgi_servicegroup.dpatch
+++ nagios3-3.4.1/debian/patches/99_security_status_cgi_servicegroup.dpatch
@@ -0,0 +1,56 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 99_security_status_cgi_servicegroup.dpatch by Jonas Meurer <jmeu...@inet.de>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Stop cgi-bin/status.c from listing unauthorized hosts and
+## DP: services in servicegroup view
+## DP: Upstream bugreport: http://tracker.nagios.org/view.php?id=456
+
+@DPATCH@
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' nagios3-3.4.1~/cgi/status.c nagios3-3.4.1/cgi/status.c
+--- nagios3-3.4.1~/cgi/status.c 2012-02-13 21:40:42.000000000 +0100
++++ nagios3-3.4.1/cgi/status.c 2013-06-26 16:52:37.668132234 +0200
+@@ -2534,6 +2534,10 @@
+ if(temp_host == NULL)
+ continue;
+
++ /* make sure user has rights to view this host */
++ if(is_authorized_for_host(temp_host, ¤t_authdata) == FALSE)
++ continue;
++
+ /* skip this if it isn't a new host... */
+ if(temp_host == last_host)
+ continue;
+@@ -2739,6 +2743,10 @@
+ if(temp_host == NULL)
+ continue;
+
++ /* make sure user has rights to view this host */
++ if(is_authorized_for_host(temp_host, ¤t_authdata) == FALSE)
++ continue;
++
+ /* skip this if it isn't a new host... */
+ if(temp_host == last_host)
+ continue;
+@@ -2918,6 +2926,10 @@
+ if(temp_service == NULL)
+ continue;
+
++ /* make sure user has rights to view this service */
++ if(is_authorized_for_service(temp_service, ¤t_authdata) == FALSE)
++ continue;
++
+ /* find the service status */
+ temp_servicestatus = find_servicestatus(temp_service->host_name, temp_service->description);
+ if(temp_servicestatus == NULL)
+@@ -3270,6 +3282,10 @@
+ if(temp_host == NULL)
+ continue;
+
++ /* make sure user has rights to view this host */
++ if(is_authorized_for_host(temp_host, ¤t_authdata) == FALSE)
++ continue;
++
+ /* get the status of the host */
+ temp_hoststatus = find_hoststatus(temp_host->name);
+ if(temp_hoststatus == NULL)
