Command CGI Scheduled Downtime Patch

We have monitoring servers shared by several customers. Problem is that one user can enter a downtime and sees the other user's machines by using the "Triggered by" option. This is a severe security incident for us. This has been fixed in a way that every customer can only see his own machines. Concerned file: cmd.c Diff: 116 int string_to_time(char *,time_t *); 117 118 //PATCH 119 host *temp_host=NULL; 120 //PATCH END 121 122 int main(void){ 1178 if(temp_downtime->type!=HOST_DOWNTIME) 1179 continue; 1180 // PATCH 1181 /* find the host... */ 1182 temp_host=find_host(temp_downtime->host_name); 1183 1184 /* make sure user has rights to view this host */ 1185 if(is_authorized_for_host(temp_host,¤t_authdata)==FALSE) 1186 continue; 1187 //PATCH END 1188 printf("",temp_downtime->downtime_id); I added also the whole file. It would be great if this patch could be integrated into the next version. This would make us update safe.

You must be logged in to submit a review.

Your review has been submitted and is pending approval.

Your recommendation has been sent.

Project Overview Project Files Project Notes Reviews