[Xymon] CGI Security

Jeremy Laidman jlaidman at rebel-it.com.au
Wed Jul 29 05:49:52 CEST 2015


Perhaps you could edit svcstatus.sh, and have it cross-check the
REMOTE_USER or REMOTE_GROUP value against the HOST part of the
QUERY_STRING.  This is made significantly simpler if the username/groupname
is the client device domain name, in which case, something like this might
work:

#!/bin/sh

# This is a wrapper for the Xymon svcstatus.cgi script

echo "$QUERY_STRING" | sed -n
'/^HOST=[-_a-z0-9.]*'"$REMOTE_USER"'&SERVICE=[^&]*$/p' | grep ^ >/dev/null
|| {
    echo "Sorry, you don't have access to this page"
    exit 1
}

. /usr/lib/xymon/server/etc/cgioptions.cfg
 exec /usr/lib/xymon/server/bin/svcstatus.cgi $CGI_SVC_OPTS


On 28 July 2015 at 23:05, Bruno Deschamps <bruno at redix.com.br> wrote:

>  Hi,
>
>
>  Im using xymon to monitoring my clients servers.
>
>
>  The clients access the xymon on the URL like above:
>
>
>  http://host.com/client1
>
> http://host.com/client <http://host.com/client1>2
>
>  http://host.com/client <http://host.com/client1>3
>
>
>  Every client has his own directory for all servers.
>
> When the client access the directory client1 for example, i use a
> .htpasswd to authenticate the user. The user only has access to his
> directory
>
> I notice that there is a security problem for a specific item link like
> above:
>
> http://host.com/cgi/svcstatus.sh?HOST=server1.client1.com&SERVICE=files
>
>  If im logged with user client1 i can see the item correctly, but if i
> manually  change the url for another client, like somenting:
>
> http://host.com/cgi/svcstatus.sh?HOST=server2.client2.com&SERVICE=files
>
>  I can see the content of another client.
>
>
>  There is a way to restrict or block the access from users that dont have
> permission?
>
>
>  Att
>
>
>
>
>
> _______________________________________________
> Xymon mailing list
> Xymon at xymon.com
> http://lists.xymon.com/mailman/listinfo/xymon
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20150729/a747035c/attachment.html>


More information about the Xymon mailing list