CGI Security 🔗 link

Hi,


Im using xymon to monitoring my clients servers.


The clients access the xymon on the URL like above:


http://host.com/client1


http://host.com/client<http://host.com/client1>2


http://host.com/client<http://host.com/client1>3


Every client has his own directory for all servers.

When the client access the directory client1 for example, i use a .htpasswd to authenticate the user. The user only has access to his directory

I notice that there is a security problem for a specific item link like above:

http://host.com/cgi/svcstatus.sh?HOST=server1.client1.com&SERVICE=files


If im logged with user client1 i can see the item correctly, but if i manually  change the url for another client, like somenting:

http://host.com/cgi/svcstatus.sh?HOST=server2.client2.com&SERVICE=files


I can see the content of another client.


There is a way to restrict or block the access from users that dont have permission?


Att


[http://www.redix.com.br/email/2014/assinaturadigital2014_bruno.jpg]

Perhaps you could edit svcstatus.sh, and have it cross-check the
REMOTE_USER or REMOTE_GROUP value against the HOST part of the
QUERY_STRING.  This is made significantly simpler if the username/groupname
is the client device domain name, in which case, something like this might
work:

#!/bin/sh

# This is a wrapper for the Xymon svcstatus.cgi script

echo "$QUERY_STRING" | sed -n
'/^HOST=[-_a-z0-9.]*'"$REMOTE_USER"'&SERVICE=[^&]*$/p' | grep ^ >/dev/null
|| {
    echo "Sorry, you don't have access to this page"
    exit 1
}

. /usr/lib/xymon/server/etc/cgioptions.cfg
 exec /usr/lib/xymon/server/bin/svcstatus.cgi $CGI_SVC_OPTS

On 28 July 2015 at 23:05, Bruno Deschamps <user-7d3e56552c08@xymon.invalid> wrote:

http://host.com/client <http://host.com/client1>2

 http://host.com/client <http://host.com/client1>3

I'm not using this actively but tested it a few years back when it was implemented with success:

Quite some xymon CGIs support using an Apache compatible group-definitions file.

The following cgi scrips support this.:
svcstatus.cgi(1) 
acknowledge.cgi(1) 
enadis.cgi(1) 
appfeed.cgi(1)

More details can be found in man page https://www.xymon.com/help/manpages/man5/xymonwebaccess.5.html

All the best
Thomas

Am 28.07.2015 3:05 nachm. schrieb Bruno Deschamps <user-7d3e56552c08@xymon.invalid>:

http://host.com/client2

http://host.com/client3

I was able to get CGI security working with the PAGE parameter but was unable to get it working with any SUBPAGE or SUBGROUP parameter. Is this an option or will I have to explicitly add each individual HOST? I have all of the servers and access in a SQL table and use PHP security to limit access to all other pages. Has anyone successfully configured XYMON to look to a database for CGI security based on SUBPAGE?


This is in reference to: https://www.xymon.com/help/manpages/man5/xymonwebaccess.5.html


Thanks,
John

Anyone run into this?

John Tullis
cell: XXX.XXX.XXXX

-----Original Message-----
From: John Tullis [user-a6bbfd057f07@xymon.invalid]
Received: Thursday, 09 Aug 2018, 7:10PM
To: xymon at xymon.com [xymon at xymon.com]
Subject: [Xymon] CGI Security

I was able to get CGI security working with the PAGE parameter but was unable to get it working with any SUBPAGE or SUBGROUP parameter. Is this an option or will I have to explicitly add each individual HOST? I have all of the servers and access in a SQL table and use PHP security to limit access to all other pages. Has anyone successfully configured XYMON to look to a database for CGI security based on SUBPAGE?


This is in reference to: https://www.xymon.com/help/manpages/man5/xymonwebaccess.5.html


Thanks,
John