Nagios update closes "Cross Site Request Forgery" hole
The Nagios developers have closed a "Cross Site Request Forgery" vulnerability in version 3.0.5 of the open source tool for monitoring servers and network components. The vulnerability allows attackers to access the tool's web interface without authenticating themselves and change, among other things, the configuration.
For a successful attack to work though, after logging into Nagios, a Nagios user would need to open a second window containing a specially crafted web page. The problem is caused by insufficient validity checking of HTTP requests. While Nagios is only used for monitoring, and not controlling systems, attackers could conceal the failure of an important security system by manipulating the monitoring tool.
According to the changelog, the developers also fixed four minor non-security problems and added information about potential security risks when handling the Common Gateway Interface (CGI) to the documentation.
- Nagios 3.x Version History, description by Nagios