[Pkg-nagios-devel] Bug#504894: SA32610: Nagios "cmd.cgi" Cross-Site Request Forgery
atomo64 at gmail.com
Fri Nov 7 20:12:01 UTC 2008
Tags: security patch
The following SA (Secunia Advisory) id was published for Nagios.
> Andreas Ericsson has discovered a vulnerability in Nagios, which can be
> exploited by malicious people to conduct cross-site request forgery
> The application allows users to perform certain actions via HTTP requests
> to "cmd.cgi" without performing any validity checks to verify the request.
> This can be exploited to execute certain Nagios commands (e.g. to disable
> notifications) when a logged-in administrator visits a malicious web site.
> The vulnerability is confirmed in version 3.0.5. Other versions may also be
A proposed patch is available at .
If you fix the vulnerability please also make sure to include the SA id (or
the CVE id when one is assigned) in the changelog entry.
Raphael Geissert - Debian Maintainer
www.debian.org - get.debian.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 197 bytes
Desc: This is a digitally signed message part.
Url : http://lists.alioth.debian.org/pipermail/pkg-nagios-devel/attachments/20081107/a11e85d9/attachment.pgp
More information about the Pkg-nagios-devel