Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 04 Sep 2013 11:03:09 +0200
From: Andreas Ericsson <>
CC: Jonas Meurer <>,, Vincent Danen <>, 
 Kurt Seifried <>,
Subject: Re: Security bug or feature? Servicegroups leak hostnames
 to unauthorized users (Was: CVE request: unauthorized host/service
 views displayed in servicegroup view)

On 2013-09-04 10:31, Jonas Meurer wrote:
> Hey list and fellow Nagios developers,
> as you might have noticed, there's a discussion ongoing on oss-security[1]
> regarding bug report #456[2].
> I'm the one who discovered the described issue, and I still believe that
> it's a bug with security implications, even though not everyone seems to
> be convinced.
> I'll try to give a brief description of the issue:
> The Nagios status.cgi (at all 3.4* and 4.0* versions I checked) leaks
> hostnames to unauthorized users as part of servicegroups. All of
> servicegroup overview, summary and grid list each and every hostname that
> is part of a servicegroup, regardless whether the HTTP user is listed in
> contacts/contactgroups for this host.
> In my opinion this is a security issue - at least on multi-user (e.g.
> multi-customer) Nagios-setups. I guess that most ISPs which give their
> customers access to the Nagios CGIs don't want to provide a full list
> of monitored hosts to their customers as a side-effect.
> One reason for confusion is the following entry from Nagios3 changelog[3]:
> 3.4.0 - 05/04/2012
> [...]
> - Users can now see hostgroups and servicegroups that contain at least
>    one host or service they are authorized for, instead of having to
>    be authorized for them all (Ethan Galstad)
> The indisputable part of this change is, that users are allowed to see
> hostgroups and servicegroups with at least one authorized host or
> service. Unclear is, whether this means "group and all its group
> members", or "group and only authorized group members".

It should mean "group and only authorized group members, except also
hosts for services where one is authorized to see the service".

> Unfortunately, no Nagios developer speaked up yet about this issue. Thus
> there's still a lot confusion about it.

Well, now I have, so confusion dispelled.

> You can find my patch at the Nagios Issue Tracker.

Ah, right. Care to provide a link? Mostly, I prefer to get patches to
this mailing list, since I don't spend a lot of time hunting them down
from the (underused) tracker.

> This patch changes
> status.cgi behaviour to show only group members (hosts/services) that
> the user is authorized to see.
> A comment about this issue by the Nagios Developers whould be highly
> appreciated. In case that the described (and critizised) behaviour of
> status.cgi is intended, the distribution security teams can move on.

Well, it *was* by design, but now I'm changing the design. It's a good
time for it, since 4.0 is about to come out. I think the security teams
can move on and we'll consider this "changed" rather than "fixed" for
4.0, where we do some security tightening.

> If on the other hand you agree with me, that this issue should be
> fixed, I'll continue to work with the security teams in order to
> provide patched Nagios packages for their distributions.
> Thanks for your work on Nagios, it's a very valuable piece of software!

Thanks for enjoying it.

Andreas Ericsson         
OP5 AB                   
Tel: +46 8-230225                  Fax: +46 8-230231

Considering the successes of the wars on alcohol, poverty, drugs and
terror, I think we should give some serious thought to declaring war
on peace.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.