ANNOUNCE: Nagios Looking Glass 1.0.0#PRE is here!

[Andy Shellam (Mailing Lists)]

Hi Hans,

I'll admit first-off I'm reading this e-mail at almost 1am here in the 
UK and after about ooh 6 glasses of wine, so I may get a different view 
in the morning, but I'm getting the feeling I'm already thinking along 
the same path as yourself, maybe I haven't made that clear?

Thanks for the wonderfully detailed e-mail btw, made good reading and I 
certainly don't see it as a personal attack - I'm starting out in 
web-apps design, but saying that I have about 5 years PHP exp under my 
belt - this is my first live app (lots of other projects shelved - I'm 
sure you know the drill) and security is something high on my "things to 
get to grips with" list!

Right back to your e-mail, let me try to explain:


Hans Spaans wrote:
> I'm reading your responses and from others, but I'm under impression
> that you're trying to fight symptoms instead of really focus your
> energy on the real problem.
Nope, in a sense yes I want to get things sorted as much as possible, 
but I don't see that there is a problem - save for the extra sanitation 
check on the client-side (the poller already does this.)
Equally I feel that I have to understand how the symptoms cause a 
problem in order to get the bottom of *why* the problem can occur in the 
first-place.  (Eg. you wouldn't try to fix a car without knowing how to 
drive one, would you?)
>
> Also if you think I'm intrusive or dominant or arrogant. My apologies
> in advance to you all, but its not to troll or something like that.
>   
I'm happy to take all comments, criticisms, whatever.  NLG is after all 
in the public domain.
> This it not really XSS, but more like DNS-spoofing and some wicked
> redirection box. But don't focus on XSS right now, but on what Hans
> Wolters and others where talking about. It will make thing much easier.
>   
Hans Wolters and the others were talking about XSS - it's probably my 
inexperience that's getting the wrong end of the stick about what XSS 
actually is, but from my (now more-enhanced understanding after reading 
about it on Wikipedia and the likes) I still fail to see how NLG is 
vulnerable.
> What is the problem really? Is has nothing todo with login or
> sensitive data, but with checking you data and keeping a careful eye
> on data. So to keep it simple, data should be sanitized always to make
> sure its in the bounderies as you would expect it and it need to be.
>   
Exactly.  There's nothing sensitive about the data - anything anybody 
could get from NLG by forging variables is nothing more than they could 
get through the normal interface anyway.
NLG cannot be used to inject scripts into the HTML output as it doesn't 
use the GET variables to generate any HTML anywhere, and the check on 
the poller side will force the variables to 0 if a user tried to inject 
any HTML code (sure this check needs to be performed on the client-side 
too, but even without it, I cannot see a way in which arbitrary HTML 
code can be executed using the GET variables.)
> But a lot of people also make an incorrect assumption here. They
> belief that by checking if a variable is an integer at the start of
> the function that everything is good. No way, in the most extreme form
> you need to sanitize your data after every operation on it, but that
> would be too much. But instead of checking everyhing again everytime
> you can also write your function in a way that you cover every outcome
> or path you funtion can and should take. A litte C-example below is an
> exampe of this.
>   
Yep, this is something I've thought as an after-thought - currently the 
poller forces the filter/group ID to be an integer, then it uses that to 
look up the filter/group to send back to the client - what I need to do 
is check that filter/group actually exists - if it doesn't, set it to 0 
- if filter/group 0 doesn't exist, throw a fatal error as something in 
the config's amiss.
> I must say that you're on the right path by saying things like we
> check if its an integer or else we fix it to zero. But I leave it up
> to you right know to decide if this is enough, but I think you know
> the answer already ;-)
>   
I think so :)  -- see response to previous para.
> You're saying something interesting and that is that everyone can
> access it. This means the good, the bad and the idiots who think they
> have found undocumented features and start using it. And here comes
> the bad part, they start complaining when you fixed a bug and there
> application stops working. So they stick with the old version, because
> that one works. This is one to remember, because most software
> currently arround already depends on code that goes back say 10 or 20
> years. Imagion people using your code and the results when it seems
> your code contains some serious flaws. And I'm not trying to scare
> you, but it happens everyday and you should be aware of it.
>   
I'm hoping that the code for NLG and any future projects I work on has 
no serious flaws (that's the idea of beta-testing after-all.)  But yes, 
I agree with your point entirely, that's why the code is written to work 
in PHP5 only, as a lot of PHP flaws from 4.x were fixed in 5.  One thing 
I probably will do in future versions of NLG is to check the PHP config 
for things such as register_globals being off and other security 
problems that could leave the server open to attack etc.

As for rogue-people using the app - the data from the poller is a 
serialised, base64-encoded representation of the s3_class (which is a 
snapshot of the network/server overview.)
Without the source code (say someone screen-scraping your poller), even 
base64-decoding the data, they'd get a long string of (mostly) useless data.
But, with HTTP authentication on the poller feed, and HTTPS encryption, 
this wouldn't be an issue - the rogues would have to get the data from 
the front-end UI.
> This is a good question and do you remember what I said about making
> sure your code can handle any situation? And I think you're starting
> to see the point.
>   
Yep.
> To be honest you have a couple of few good points here. And I would
> say may sure 1.0.0 works correct and skip the robustness to a later
> version. I think that you have enough work on your hands to make sure
> the application works correct and that you can rewrite some parts
> afterwards to give the application more reliable and robust.
>   
I would have thought it the other way round actually - that is, my view 
is taking "reliable and robust" to include these "possible" security 
issues, and get those sorted before focusing on other functionality.  
When development is in progress, yep, get it working first, then secure 
it - but I feel 1.0.0 should be stable and secure within the current 
code-base - which is why I'm not adding new features and such, and 
primarily focusing on hardening up the existing code.
> And on your question about support for making NLG more secure, I think
> you see that its not really about fancy words or manpower. Its more of
> thinking of what you need and its bounderies, but also building the
> mousetrap. It gives others less room to poke in your application by
> feeding it wicked data.
>   
Hopefully so, I have a paranoid personality anyway, and some have said 
that's why I'm a programmer!! Hmm.... no comment lol.
> I must btw say that this is no garantee that your application can't be
> abused, because sometimes there are design flaws or just logical
> issues. But hopefully you then will laugh about those issues and see
> them as challanges.
>   
I do indeedy.
>
> As a last statement, don't see this as a personal attack. It isn't and
> love to see your response and your progress.
>   
Not at all, I'm glad of the advice, this is what I call "constructive 
criticism" which is what I look for.

Thanks a mill Hans,

-- 
Andy Shellam
NetServe Support Team

the Mail Network
"an alternative in a standardised world"



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null