escaping/sanitizing plugin output in nagios web interfaces
Ethan Galstad
nagios at nagios.org
Mon Apr 9 04:59:22 CEST 2007
sean finney wrote:
> tjena andreas,
>
> On Tue, 2007-04-03 at 17:03 +0200, Andreas Ericsson wrote:
>
>>> This same bug exists in config.c when displaying arguments TO the plugins.
>>>
>> That's not a bug, and in no way a security issue. If someone has access to
>> modify the nagios config files you should stop worrying about XSS attacks
>> for the same reason you shouldn't try to plug a leak in the kitchen sink
>> when your house is on fire.
>
> granted i haven't actually checked this, but what if you have a
> check_command defined as "/path/to/something < /path/to/input" ? not a
> security issue in this regard, but i'd say a bug if it mucks with the
> displaying of the content.
>
> in any event i'd say it's a matter that should still be worked out with
> the plugin output presentation.
>
>
> sean
>
I think its a good idea to escape HTML whenever possible. I think these
kinds of problems can all be avoided by simply escaping the < and >
characters. I've updated the html_encode() function and changed the
CGIs to encode all plugin/perfdata output in the CGIs, as well as the
command definitions in the config CGI. I think I've got the code
changed in all the necessary places. Patches will be made the CVS code
(Nagios 2.x and 3/HEAD branches) shortly.
Ethan Galstad,
Nagios Developer
---
Email: nagios at nagios.org
Website: http://www.nagios.org
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
More information about the Developers
mailing list