Hi,
Im using xymon to monitoring my clients servers.
The clients access the xymon on the URL like above:
http://host.com/client<http://host.com/client1>2
http://host.com/client<http://host.com/client1>3
Every client has his own directory for all servers.
When the client access the directory client1 for example, i use a .htpasswd to authenticate the user. The user only has access to his directory
I notice that there is a security problem for a specific item link like above:
http://host.com/cgi/svcstatus.sh?HOST=server1.client1.com&SERVICE=files
If im logged with user client1 i can see the item correctly, but if i manually change the url for another client, like somenting:
http://host.com/cgi/svcstatus.sh?HOST=server2.client2.com&SERVICE=files
I can see the content of another client.
There is a way to restrict or block the access from users that dont have permission?
Att
[http://www.redix.com.br/email/2014/assinaturadigital2014_bruno.jpg]
Perhaps you could edit svcstatus.sh, and have it cross-check the REMOTE_USER or REMOTE_GROUP value against the HOST part of the QUERY_STRING. This is made significantly simpler if the username/groupname is the client device domain name, in which case, something like this might work:
#!/bin/sh
This is a wrapper for the Xymon svcstatus.cgi script
echo "$QUERY_STRING" | sed -n '/^HOST=[-_a-z0-9.]*'"$REMOTE_USER"'&SERVICE=[^&]*$/p' | grep ^ >/dev/null || { echo "Sorry, you don't have access to this page" exit 1 }
. /usr/lib/xymon/server/etc/cgioptions.cfg exec /usr/lib/xymon/server/bin/svcstatus.cgi $CGI_SVC_OPTS
On 28 July 2015 at 23:05, Bruno Deschamps <bruno at redix.com.br> wrote:
Hi,
Im using xymon to monitoring my clients servers.
The clients access the xymon on the URL like above:
http://host.com/client <http://host.com/client1>2
http://host.com/client <http://host.com/client1>3
Every client has his own directory for all servers.
When the client access the directory client1 for example, i use a .htpasswd to authenticate the user. The user only has access to his directory
I notice that there is a security problem for a specific item link like above:
http://host.com/cgi/svcstatus.sh?HOST=server1.client1.com&SERVICE=files
If im logged with user client1 i can see the item correctly, but if i manually change the url for another client, like somenting:
http://host.com/cgi/svcstatus.sh?HOST=server2.client2.com&SERVICE=files
I can see the content of another client.
There is a way to restrict or block the access from users that dont have permission?
Att
Xymon mailing list Xymon at xymon.com http://lists.xymon.com/mailman/listinfo/xymon
I'm not using this actively but tested it a few years back when it was implemented with success:
Quite some xymon CGIs support using an Apache compatible group-definitions file.
The following cgi scrips support this.: svcstatus.cgi(1) acknowledge.cgi(1) enadis.cgi(1) appfeed.cgi(1)
More details can be found in man page https://www.xymon.com/help/manpages/man5/xymonwebaccess.5.html
All the best Thomas
Am 28.07.2015 3:05 nachm. schrieb Bruno Deschamps <bruno at redix.com.br>:
Hi,
Im using xymon to monitoring my clients servers.
The clients access the xymon on the URL like above:
Every client has his own directory for all servers.
When the client access the directory client1 for example, i use a .htpasswd to authenticate the user. The user only has access to his directory
I notice that there is a security problem for a specific item link like above:
http://host.com/cgi/svcstatus.sh?HOST=server1.client1.com&SERVICE=files
If im logged with user client1 i can see the item correctly, but if i manually change the url for another client, like somenting:
http://host.com/cgi/svcstatus.sh?HOST=server2.client2.com&SERVICE=files
I can see the content of another client.
There is a way to restrict or block the access from users that dont have permission?
Att
participants (3)
-
bruno@redix.com.br
-
jlaidman@rebel-it.com.au
-
thomas.eckert@IT-Eckert.de