sean finney wrote:
> tjena andreas,
>
> On Tue, 2007-04-03 at 17:03 +0200, Andreas Ericsson wrote:
>
>>> This same bug exists in config.c when displaying arguments TO the plugins.
>>>
>> That's not a bug, and in no way a security issue. If someone has access to
>> modify the nagios config files you should stop worrying about XSS attacks
>> for the same reason you shouldn't try to plug a leak in the kitchen sink
>> when your house is on fire.
>
> granted i haven't actually checked this, but what if you have a
> check_command defined as "/path/to/something security issue in this regard, but i'd say a bug if it mucks with the
> displaying of the content.
>
> in any event i'd say it's a matter that should still be worked out with
> the plugin output presentation.
>
>
> sean
>
I think its a good idea to escape HTML whenever possible. I think these
kinds of problems can all be avoided by simply escaping the
characters. I've updated the html_encode() function and changed the
CGIs to encode all plugin/perfdata output in the CGIs, as well as the
command definitions in the config CGI. I think I've got the code
changed in all the necessary places. Patches will be made the CVS code
(Nagios 2.x and 3/HEAD branches) shortly.
Ethan Galstad,
Nagios Developer
---
Email: [email protected]
Website: http://www.nagios.org
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]