-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Tim Starling wrote:
Apparently the nagios developers are so confident that
nagios's command
interface has arbitrary shell execution vulnerabilities that they go to
extreme lengths to prevent you from enabling it in an environment without
password protection.
I would chalk it up to paranoia, except that Nagios NRPE has a similar
protection against enabling parameters to check commands, and it turns out
that those parameters are indeed passed through to the shell without
proper escaping.
Ah, Nagios, how do I love/hate thee? Let me count the ways!
- -- brion
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla -
http://enigmail.mozdev.org
iEYEARECAAYFAkjy1rcACgkQwRnhpk1wk47uTQCfcXQ8TOq4EeY9fSr6LFlnsd0a
RicAn1akCzvJ8KgCAhMfB5AeFW7StPaI
=ItwG
-----END PGP SIGNATURE-----