escaping/sanitizing plugin output in nagios web interfaces
sean finney
seanius at seanius.net
Wed Apr 4 00:44:13 CEST 2007
tjena andreas,
On Tue, 2007-04-03 at 17:03 +0200, Andreas Ericsson wrote:
> > This same bug exists in config.c when displaying arguments TO the plugins.
> >
>
> That's not a bug, and in no way a security issue. If someone has access to
> modify the nagios config files you should stop worrying about XSS attacks
> for the same reason you shouldn't try to plug a leak in the kitchen sink
> when your house is on fire.
granted i haven't actually checked this, but what if you have a
check_command defined as "/path/to/something < /path/to/input" ? not a
security issue in this regard, but i'd say a bug if it mucks with the
displaying of the content.
in any event i'd say it's a matter that should still be worked out with
the plugin output presentation.
sean
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <https://www.monitoring-lists.org/archive/developers/attachments/20070404/080b7420/attachment.sig>
-------------- next part --------------
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
-------------- next part --------------
_______________________________________________
Nagios-devel mailing list
Nagios-devel at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-devel
More information about the Developers
mailing list