escaping/sanitizing plugin output in nagios web interfaces

sean finney seanius at seanius.net
Mon Apr 2 23:14:28 CEST 2007


hey ethan et al,

someone raised a bug in the debian bts:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=416814

basically bringing to light the fact that the output from various
plugins is placed verbatim into web page output.  the theoretical
problem with this is that some remote host could place XSS code in the
output, making it possible to hijack/co-opt the nagios admin's web
browser to do naughty things.

of course in practice most monitored hosts are part of the same internal
network, and this is *mostly* not an issue when you trust the checks
that you're hosting... but it is a valid issue nonetheless i'd say.

the problem could be solved on the plugin level, but i think it's more
appropriate that it's addressed in the web interface itself.  maybe a
new service or cgi option could be added to escape the output, or maybe
provide a list of "safe" tags or something?



	sean
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 191 bytes
Desc: This is a digitally signed message part
URL: <https://www.monitoring-lists.org/archive/developers/attachments/20070402/c258a914/attachment.sig>
-------------- next part --------------
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
-------------- next part --------------
_______________________________________________
Nagios-devel mailing list
Nagios-devel at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-devel


More information about the Developers mailing list