Re: [Nagios-devel] escaping/sanitizing plugin output in nagios web
Posted: Tue Apr 03, 2007 6:23 am
------=_Part_10533_1943798.1175610125400
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
On 4/2/07, sean finney wrote:
>
> hey ethan et al,
>
> someone raised a bug in the debian bts:
>
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=416814
>
> basically bringing to light the fact that the output from various
> plugins is placed verbatim into web page output. the theoretical
> problem with this is that some remote host could place XSS code in the
> output, making it possible to hijack/co-opt the nagios admin's web
> browser to do naughty things.
>
>
This same bug exists in config.c when displaying arguments TO the plugins.
-David
------=_Part_10533_1943798.1175610125400
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
On 4/2/07, sean finney <[email protected]> wrote:
hey ethan et al,someone raised a bug in the debian bts:http://bugs.debian.org/cgi-bin/bugrepor ... 4basically bringing to light the fact that the output from various
plugins is placed verbatim into web page output. the theoreticalproblem with this is that some remote host could place XSS code in theoutput, making it possible to hijack/co-opt the nagios admin's web
browser to do naughty things.This same bug exists in config.c when displaying arguments TO the plugins.-David
------=_Part_10533_1943798.1175610125400--
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
On 4/2/07, sean finney wrote:
>
> hey ethan et al,
>
> someone raised a bug in the debian bts:
>
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=416814
>
> basically bringing to light the fact that the output from various
> plugins is placed verbatim into web page output. the theoretical
> problem with this is that some remote host could place XSS code in the
> output, making it possible to hijack/co-opt the nagios admin's web
> browser to do naughty things.
>
>
This same bug exists in config.c when displaying arguments TO the plugins.
-David
------=_Part_10533_1943798.1175610125400
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
On 4/2/07, sean finney <[email protected]> wrote:
hey ethan et al,someone raised a bug in the debian bts:http://bugs.debian.org/cgi-bin/bugrepor ... 4basically bringing to light the fact that the output from various
plugins is placed verbatim into web page output. the theoreticalproblem with this is that some remote host could place XSS code in theoutput, making it possible to hijack/co-opt the nagios admin's web
browser to do naughty things.This same bug exists in config.c when displaying arguments TO the plugins.-David
------=_Part_10533_1943798.1175610125400--
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]