However, commercial monitoring alternatives based purely on Windows are very resource-hungry and also require at least one Windows Server license. Overall, this makes them an expensive affair and does not solve all the problems that Nagios has. For example, the resource requirements of Windows as the host system usually limit the scalability of the monitoring.

nagios xi license key generator

To control the $id argument we look at where the autodiscovery_component_update_cron() function is used. This can be found in the function named do_update_job() that is found in the file nagiosxi/html/includes/components/autodiscovery/index.php.

The getprofile.sh script can be executed as sudo from the context of both the nagios and apache users. Part of the script includes reading the last 100 lines of the file /usr/local/nagiosxi/tmp/phpmailer.log and writing it to /usr/local/nagiosxi/var/components/profile/$folder/phpmailer.log.

The eval column comes from the $options argument to the get_paged_table function. To control this argument, we must look into the function ah_paged_table function that calls the get_paged_table function. The ah_paged_table function is located in the file nagiosfusion/html/ajaxhelper.php.

With the ability to eval PHP code on the Fusion server we can run code as the apache user. As the apache user we can insert a malicious row into the fusion database commands table. This will abuse the command injection vulnerability in the cmd_subsys.php script that will execute code as the nagios user.

As we can see in the function process_command in the file nagiosfusion/cron/cmd_subsys.php at the bottom of the code excerpt we can see the call to exec which takes the $cmd_line argument. The $cmd_line argument is a string that is calling the change_timezone script with the timezone variable. The $timezone variable is equal to the $data argument in the process_command function. Therefore, if we can call the process_command function and control the data argument we can execute system level commands.

Therefore, the separation between root and nagios has been lost since if the nagios user can write content to the change_timezone.sh script and then execute it as root, the nagios user can therefore execute any command as root.

Therefore, we use the command subsys, change timezone vulnerability to execute system commands as nagios to modify the change_timezone.sh script and then to run the script with root privileges thereby elevating our privilege from nagios to root. The commands required to do this are as follows:

Nagios XI offers two SMB and enterprise pricing plans for all users to choose from. The pricing of the plans vary depending on the type of edition and license level you wish to purchase. Nagios XI is available in two editions, namely, Standard Edition and Enterprise Edition. The Enterprise Edition is comprised of an additional functionality and features which are suitable for large-scale configuration, forecasting, and scheduled reporting.

On top of its two different editions, you can avail the software by purchasing perpetual licenses in different levels. These license levels are defined by the number of modes that you can monitor. A node is anything with an IP address or domain which includes switches, routers, firewalls, workstations, and other network devices. Depending on the license level you will purchase, you can monitor 100 nodes to unlimited nodes.

Also, if you are monitoring small environments, you can use the software free of charge. However, this free license allows you to monitor only 7 nodes. Give the details a look, and select the best edition and license level for your company:

The Nagios XI system is comprised of two categories of licensed code: 1) Open Source foundation cores and components like Nagios Core, PNP, and NDOUtils and 2) the Nagios XI UI and system frameworks. The Nagios XI UI and system frameworks are released under a commercial license and contain some code used under license by Nagios Enterprises that cannot be released under an OSS license. Purchasing a Nagios XI license grants you a perpetual license to use the XI UI and system frameworks, including the licensed code.

Nagios XI is available free of charge for monitoring small environments. Nagios XI installations with a free license are limited to monitoring seven (7) hosts (nodes). There is no limitation on the number of services that can be monitored with a free license. Students may qualify for increased or unrestricted monitoring limits based on their needs and qualifications.

Magpie_debug.php accepts an HTTP GET parameter, 'url', and subsequently calls fetch_rss() with the URL as an argument. The fetch_rss function is defined in /usr/local/nagiosxi/html/includes/dashlets/rss_dashlet/magpierss/rss_fetch.inc and is used to perform an HTTP request against the provided URL. Digging further, the _fetch_remote_file() function is called, which then instantiates a Snoopy object. The fetch() method of the Snoopy class is then called, which eventually ends up calling the _httpsrequest() method if an HTTPS URL was specified.

If we put it all together, the 'apache' and 'nagios' users may exploit the command injection flaw to gain root privileges. Note that the payload in this case is a reverse bash shell connecting back to 192.168.1.191 over TCP port 4444.

Note that the API key returned belongs to the user for which it was regenerated. In this case, the API key belongs to nagiosadmin. This serves as a privilege escalation within the Nagios XI application because more functionality can now be invoked.

A persistent cross-site scripting (XSS) vulnerability exists in the Nagios XI Business Process Intelligence (BPI) component's api_tool.php. The file located at /usr/local/nagiosxi/etc/components/bpi.conf can be tampered with. An attacker is able to inject new entries by crafting the HTTP GET 'host' parameter value. This file is read by /nagiosxi/includes/components/nagiosbpi/index.php when a user opens the BPI view.A bpi.conf file that was tampered with could end up looking like the following. Take note of the second entry:

Managingyour licenses for your devices has never been easier, the Marketplace isnow open for convenient and secured purchasing of licenses. Here are the threemajor benefits you get as a customer when using the Marketplace:

We have used Centreon previously. We have evaluated it for some time. It was very easy to use but the requirements we had, were not fulfilled. We have engaged with some Centreon providers, and the support was not great. We bought a license for one year for Centreon, and the support from France was not great. That's why we decided that we cannot go with it for a longer time and on a larger scale. Additionally, we have used Alaloop for quite some time, and it was good. 2ff7e9595c