On 6/29/2016 9:37 AM, Becker Christian wrote:
- snip -
Now we are in the situation that we need to present some special devices to an external company. I did this by setting up an alternate pageset, following the Tips and Tricks section from the Xymon website.
Everything is working as expected, but the external company is able to „break out“ of this special pageset. - snip -
Even if you succeed in stripping the menus from all of the alternate pages, the URLs and cgis are still going to work. It isn't going to be hard to look at the address bar:
https://xymon.bar.com/xymon-cgi/svcstatus.sh?HOST=foo.bar.com&SERVICE=info
and figure out that any host can be displayed just by changing the "HOST=" value. Alternate page sets (on the same web server) are not going to really "jail" those users.
See if you can publish your alternate page set on an apache vhost. You could then prevent the external users from reaching your primary vhost.
-- Do things because you should, not just because you can.
John Thurston 907-465-8591 John.Thurston at alaska.gov Enterprise Technology Services Department of Administration State of Alaska