escaping/sanitizing plugin output in nagios web interfaces

Andreas Ericsson ae at op5.se
Tue Apr 3 17:03:44 CEST 2007


David Schlecht wrote:
> On 4/2/07, sean finney <seanius at seanius.net> wrote:
>>
>> hey ethan et al,
>>
>> someone raised a bug in the debian bts:
>>
>> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=416814
>>
>> basically bringing to light the fact that the output from various
>> plugins is placed verbatim into web page output.  the theoretical
>> problem with this is that some remote host could place XSS code in the
>> output, making it possible to hijack/co-opt the nagios admin's web
>> browser to do naughty things.
>>
>>
> This same bug exists in config.c when displaying arguments TO the plugins.
> 

That's not a bug, and in no way a security issue. If someone has access to
modify the nagios config files you should stop worrying about XSS attacks
for the same reason you shouldn't try to plug a leak in the kitchen sink
when your house is on fire.

EBBOM, please.

-- 
Andreas Ericsson                   andreas.ericsson at op5.se
OP5 AB                             www.op5.se
Tel: +46 8-230225                  Fax: +46 8-230231

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV




More information about the Developers mailing list