In association with heise online

« previous | next »
6 November 2008, 11:54

Nagios update closes "Cross Site Request Forgery" hole

The Nagios developers have closed a "Cross Site Request Forgery" vulnerability in version 3.0.5 of the open source tool for monitoring servers and network components. The vulnerability allows attackers to access the tool's web interface without authenticating themselves and change, among other things, the configuration.

For a successful attack to work though, after logging into Nagios, a Nagios user would need to open a second window containing a specially crafted web page. The problem is caused by insufficient validity checking of HTTP requests. While Nagios is only used for monitoring, and not controlling systems, attackers could conceal the failure of an important security system by manipulating the monitoring tool.

According to the changelog, the developers also fixed four minor non-security problems and added information about potential security risks when handling the Common Gateway Interface (CGI) to the documentation.

See also:

(djwm)

Add your comment

« previous | next »
Print Version | Send by email | Permalink: http://h-online.com/-737999

Also on The H:

  • Share this article
  • Twitter
  • Facebook
  • digg this
  • submit to slashdot
  • post to delicious
  • StumbleUpon
  • submit to reddit
The H Open Headlines

Price Insight Top 10 powered by Skinflint

  1. Samsung SSD 830 Series 128GB
  2. Samsung SSD 830 Series 256GB
  3. Samsung SSD 830 Series Desktop Upgrade Kit 256GB
  4. Intel Core i5-3570K
  5. Samsung Galaxy S3 i9300 16GB blau
  6. Crucial m4 SSD 128GB
  7. Gigabyte GeForce GTX 670 OC
  8. Palit GeForce GTX 670
  9. Diablo 3 (deutsch)
  10. Samsung Galaxy Nexus i9250 16GB silber

The H

The H open source

The H Security

The H Internet Toolkit