-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Tim Starling wrote:
Apparently the nagios developers are so confident that nagios's command interface has arbitrary shell execution vulnerabilities that they go to extreme lengths to prevent you from enabling it in an environment without password protection.
I would chalk it up to paranoia, except that Nagios NRPE has a similar protection against enabling parameters to check commands, and it turns out that those parameters are indeed passed through to the shell without proper escaping.
Ah, Nagios, how do I love/hate thee? Let me count the ways!
- -- brion