[Xymon] CGI Security
Thomas Eckert
thomas.eckert at IT-Eckert.de
Wed Jul 29 07:41:12 CEST 2015
I'm not using this actively but tested it a few years back when it was implemented with success:
Quite some xymon CGIs support using an Apache compatible group-definitions file.
The following cgi scrips support this.:
svcstatus.cgi(1)
acknowledge.cgi(1)
enadis.cgi(1)
appfeed.cgi(1)
More details can be found in man page https://www.xymon.com/help/manpages/man5/xymonwebaccess.5.html
All the best
Thomas
Am 28.07.2015 3:05 nachm. schrieb Bruno Deschamps <bruno at redix.com.br>:
>
> Hi,
>
>
> Im using xymon to monitoring my clients servers.
>
>
> The clients access the xymon on the URL like above:
>
>
> http://host.com/client1
>
>
> http://host.com/client2
>
> http://host.com/client3
>
>
> Every client has his own directory for all servers.
>
> When the client access the directory client1 for example, i use a .htpasswd to authenticate the user. The user only has access to his directory
>
> I notice that there is a security problem for a specific item link like above:
>
> http://host.com/cgi/svcstatus.sh?HOST=server1.client1.com&SERVICE=files
>
> If im logged with user client1 i can see the item correctly, but if i manually change the url for another client, like somenting:
>
> http://host.com/cgi/svcstatus.sh?HOST=server2.client2.com&SERVICE=files
>
> I can see the content of another client.
>
>
> There is a way to restrict or block the access from users that dont have permission?
>
>
> Att
>
>
>
>
More information about the Xymon
mailing list