[Nagios-devel] escaping/sanitizing plugin output in nagios web

Support forum for Nagios Core, Nagios Plugins, NCPA, NRPE, NSCA, NDOUtils and more. Engage with the community of users including those using the open source solutions.
Locked
Guest

[Nagios-devel] escaping/sanitizing plugin output in nagios web

Post by Guest »


--=-rt9GMhadlpQTaGqpCIT4
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

hey ethan et al,

someone raised a bug in the debian bts:

http://bugs.debian.org/cgi-bin/bugrepor ... g=3D416814

basically bringing to light the fact that the output from various
plugins is placed verbatim into web page output. the theoretical
problem with this is that some remote host could place XSS code in the
output, making it possible to hijack/co-opt the nagios admin's web
browser to do naughty things.

of course in practice most monitored hosts are part of the same internal
network, and this is *mostly* not an issue when you trust the checks
that you're hosting... but it is a valid issue nonetheless i'd say.

the problem could be solved on the plugin level, but i think it's more
appropriate that it's addressed in the web interface itself. maybe a
new service or cgi option could be added to escape the output, or maybe
provide a list of "safe" tags or something?



sean

--=-rt9GMhadlpQTaGqpCIT4
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQBGEXI0ynjLPm522B0RAscUAJ9QvxjpFMbRXy4hO3yD3njNGp3KKwCghmLf
PvBAjKTs0jKWvhg+ej0iTyg=
=T4FH
-----END PGP SIGNATURE-----

--=-rt9GMhadlpQTaGqpCIT4--






This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]
Top
Locked

Return to “Open Source Nagios Projects”