If you use LibreNMS and have setup the Weathermaps plugin… your weathermaps are open to the world if anyone guesses the image or html file name.
(How is that even a feature?)
You can fix this mess by making the following changes.. (Bearing in mind I’m not a LibreNMS expert or Weathermap plugin author.. I make no claims of the security or viability of my modification but it seems to do the job for my setup).
Add the following to the bottom (before the last } bracket) of /etc/nginx/conf.d/librenms.conf
location ~ /plugins/Weathermap {
location ~ \.png$ {
rewrite ^(.*)\.png$ /plugins/Weathermap/accesscheck.php;
}
}
Then make a file /opt/librenms/html/plugins/Weathermap/accesscheck.php:
<?php
#If debugging remove the content type as image and echo out the data you need as html / text
include 'config.inc.php';
$init_modules = ['web', 'auth'];
require $librenms_base . '/includes/init.php';
if (!Auth::check()) {
header('Location: /');
exit;
} else if (Auth::user()->username == 'externalcontractorusernamehere') {
#Do nothing, no access.
$im = imagecreate(200, 300);
$bg = imagecolorallocate($im, 255, 255, 255);
$textcolor = imagecolorallocate($im, 0, 0, 255);
imagestring($im, 5, 0, 0, 'No Access.', $textcolor);
header('Content-type: image/png');
imagepng($im);
imagedestroy($im);
} else {
#echo('I am authed as ');
#echo(Auth::user()->username);
#echo(' with email ');
#echo(Auth::user()->email);
#echo(' with admin status: ');
#echo(auth()->user()->isAdmin());
#echo(' wanting to access file ');
#$htmlfile = str_replace('.php','.png',basename($_SERVER['PHP_SELF']));
$htmlfile = basename($_SERVER['REQUEST_URI']);
#echo($htmlfile);
header('Content-type: image/png');
readfile('/opt/librenms/html/plugins/Weathermap/'.$htmlfile);
}
?>
The code does the following..
1) Imports LibreNMS configuration and initalisation scripts.
2) Checks if the user is authenticated.. if they are not it redirects them to the login page (although in practice this is a .png request so the visitor won’t hit that unless they right click and “View image” and the browser follows the request).
3) Blocks a specific named user (if you wanted to) in case you had an authenticated user who wants LibreNMS access but no access to Weathermap images.
4) Otherwise reads the image and spits it out to an authenticated visitor.
Obviously you can expand and customise things as you need.
In one setup the image files were in /output/ so the config file path needed editing with output in the path, accesscheck.php placing in the output folder and accesscheck.php editing so the final “readfile” line has /output/ in it.
thecomputerperson 