[Xymon] Xymon 4.3.3 released, including security-related bugfixes

Henrik Størner henrik at hswn.dk
Fri May 6 08:19:02 CEST 2011


Hi,

Xymon version 4.3.3 is now available for download from Sourceforge.

This release contains some important security-related bugfixes - 
essentially, some of the Xymon CGI scripts can be abused to read any 
file on the webserver. So upgrading is highly recommended.

Some of these issues are probably present in all of the older 4.0.x and 
4.2.x versions, so if you haven't upgraded to 4.3.x yet, this might be a 
good opportunity to do so.

I would like to thank Jeremy Laidman for reporting this issue.


A couple of other bugfixes were also included in this version. Here's 
the full list:

* SECURITY FIX: Some CGI parameters were used to construct
   filenames of historical logfiles without being sanitized,
   so they could be abused to read files on the webserver.
* SECURITY FIX: More cross-site scripting vulnerabilities.
* Remove extra "," before "History" button on status-view
* Critical view: Shring priority-column to 10% width
* hosts.cfg loader: Check for valid IP spec (nibbles in
   0-255 range). Large numbers in a nibble were accepted,
   triggering problems when trying to ping the host.
* Alert macros no longer limited to 8kB


Regards,
Henrik



More information about the Xymon mailing list