[Xymon] CGI Security

Bruno Deschamps bruno at redix.com.br
Tue Jul 28 15:05:59 CEST 2015


Hi,


Im using xymon to monitoring my clients servers.


The clients access the xymon on the URL like above:


http://host.com/client1


http://host.com/client<http://host.com/client1>2


http://host.com/client<http://host.com/client1>3



Every client has his own directory for all servers.

When the client access the directory client1 for example, i use a .htpasswd to authenticate the user. The user only has access to his directory

I notice that there is a security problem for a specific item link like above:

http://host.com/cgi/svcstatus.sh?HOST=server1.client1.com&SERVICE=files


If im logged with user client1 i can see the item correctly, but if i manually  change the url for another client, like somenting:

http://host.com/cgi/svcstatus.sh?HOST=server2.client2.com&SERVICE=files


I can see the content of another client.


There is a way to restrict or block the access from users that dont have permission?


Att




[http://www.redix.com.br/email/2014/assinaturadigital2014_bruno.jpg]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20150728/d6fc1343/attachment.html>


More information about the Xymon mailing list