Headline
CVE-2022-46945: Comparing nagvis-1.9.33...nagvis-1.9.34 · NagVis/nagvis
Nagvis before 1.9.34 was discovered to contain an arbitrary file read vulnerability via the component /core/classes/NagVisHoverUrl.php.
Commits on Aug 29, 2022
Fix type juggling vulnerability
PHP evaluates `!=` a bit loose on the type. So “0000” == “0e5678” is true in PHP. An attacker could send a zeroed cookie_hash `"0"*32` and only need an collision with a calculated hash beginning with `0e` followed by only numbers.
In our tests (with auth.secret set to `stable`) a valid cookie is `cmkadmin:58191275:00000000000000000000000000000000`.
For a remote attacker this would have needed 58,191,275 guesses.
Maximilian Wirtz authored and LarsMichelsen committed
Aug 29, 2022
Mitigate arbitrary file read
With this change the URL is restricted to http and https. So no local files can be read. This still is a Server-side request forgery (SSRF).
Maximilian Wirtz authored and LarsMichelsen committed
Aug 29, 2022