In association with heise online

06 November 2008, 10:54

Nagios update closes "Cross Site Request Forgery" hole

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

The Nagios developers have closed a "Cross Site Request Forgery" vulnerability in version 3.0.5 of the open source tool for monitoring servers and network components. The vulnerability allows attackers to access the tool's web interface without authenticating themselves and change, among other things, the configuration.

For a successful attack to work though, after logging into Nagios, a Nagios user would need to open a second window containing a specially crafted web page. The problem is caused by insufficient validity checking of HTTP requests. While Nagios is only used for monitoring, and not controlling systems, attackers could conceal the failure of an important security system by manipulating the monitoring tool.

According to the changelog, the developers also fixed four minor non-security problems and added information about potential security risks when handling the Common Gateway Interface (CGI) to the documentation.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit