[Pkg-nagios-devel] Bug#504894: SA32610: Nagios "cmd.cgi" Cross-Site Request Forgery

Raphael Geissert atomo64 at gmail.com
Fri Nov 7 20:12:01 UTC 2008

Package: nagios3
Severity: grave
Tags: security patch


The following SA (Secunia Advisory) id was published for Nagios.

> Andreas Ericsson has discovered a vulnerability in Nagios, which can be
> exploited by malicious people to conduct cross-site request forgery
> attacks.
> The application allows users to perform certain actions via HTTP requests
> to "cmd.cgi" without performing any validity checks to verify the request.
> This can be exploited to execute certain Nagios commands (e.g. to disable
> notifications) when a logged-in administrator visits a malicious web site.
> The vulnerability is confirmed in version 3.0.5. Other versions may also be
> affected.

A proposed patch is available at [2].

If you fix the vulnerability please also make sure to include the SA id (or 
the CVE id when one is assigned) in the changelog entry.


Raphael Geissert - Debian Maintainer
www.debian.org - get.debian.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
Url : http://lists.alioth.debian.org/pipermail/pkg-nagios-devel/attachments/20081107/a11e85d9/attachment.pgp 

More information about the Pkg-nagios-devel mailing list