LibreNMS security issue


as weathermap is a standalone software in Librenms it’s really an issue that i can’t have the possibility to limit the access of users.
In librenms the normal users can see my entire network (which i’m not comfortable with) and the biggest problem is, they can enter the editor!

That’s a huge security breach and should be fixed ASAP.

edit : i found for now a little workaround:

After the weathermap is set up and working, disable the plugin.
You can enter the weathermap in your dashboard by using “external images”. Of course, anyone else can do that if he knows the URL, but at least no one enter easily into the editor (still can enter into editor if someone just uses the URL… still… it’s something. maybe if i rename editor.php in something else would do the trick… still… not very elegant :slight_smile:


I got around folks being able to use the editor simply by making the config directory read only. It’s a pain in the rear to have to go chown it when I want to make changes, but better that then letting other folks mess with my maps.

I agree that I wish I could control who had access to what maps.

Your webserver almost certainly has options to control access to specific files. For Apache, this would be a combination of Basic Auth and the FilesMatch, Location or Directory keywords. For the editor in particular, this is already recommended in the manual, and the editor is disabled by default for the same reasons.
I’ve never used LibreNMS - how is authentication implemented for its own graphs?