Securing LibreNMS Weathermaps

If you use LibreNMS and have setup the Weathermaps plugin… your weathermaps are open to the world if anyone guesses the image or html file name.

(How is that even a feature?)

You can fix this mess by making the following changes.. (Bearing in mind I’m not a LibreNMS expert or Weathermap plugin author.. I make no claims of the security or viability of my modification but it seems to do the job for my setup).

Add the following to the bottom (before the last } bracket) of /etc/nginx/conf.d/librenms.conf

 location ~ /plugins/Weathermap {
    location ~ \.png$ {
      rewrite ^(.*)\.png$ /plugins/Weathermap/accesscheck.php;
    }
 }

Then make a file /opt/librenms/html/plugins/Weathermap/accesscheck.php:

<?php

#If debugging remove the content type as image and echo out the data you need as html / text

    include 'config.inc.php';
    $init_modules = ['web', 'auth'];
    require $librenms_base . '/includes/init.php';

        if (!Auth::check()) {
                header('Location: /');
                exit;
        } else if (Auth::user()->username == 'externalcontractorusernamehere') {
                #Do nothing, no access.
                $im = imagecreate(200, 300);
                $bg = imagecolorallocate($im, 255, 255, 255);
                $textcolor = imagecolorallocate($im, 0, 0, 255);
                imagestring($im, 5, 0, 0, 'No Access.', $textcolor);
                header('Content-type: image/png');
                imagepng($im);
                imagedestroy($im);
        } else {
                #echo('I am authed as ');
                #echo(Auth::user()->username);
                #echo(' with email ');
                #echo(Auth::user()->email);
                #echo(' with admin status: ');
                #echo(auth()->user()->isAdmin());
                #echo(' wanting to access file ');
                #$htmlfile = str_replace('.php','.png',basename($_SERVER['PHP_SELF']));
                $htmlfile = basename($_SERVER['REQUEST_URI']);
                #echo($htmlfile);
                header('Content-type: image/png');
                readfile('/opt/librenms/html/plugins/Weathermap/'.$htmlfile);
        }
?>

The code does the following..

1) Imports LibreNMS configuration and initalisation scripts.
2) Checks if the user is authenticated.. if they are not it redirects them to the login page (although in practice this is a .png request so the visitor won’t hit that unless they right click and “View image” and the browser follows the request).
3) Blocks a specific named user (if you wanted to) in case you had an authenticated user who wants LibreNMS access but no access to Weathermap images.
4) Otherwise reads the image and spits it out to an authenticated visitor.

Obviously you can expand and customise things as you need.

In one setup the image files were in /output/ so the config file path needed editing with output in the path, accesscheck.php placing in the output folder and accesscheck.php editing so the final “readfile” line has /output/ in it.

This entry was posted in Uncategorized. Bookmark the permalink.

Comment on this topic

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s