Re: [Nagios-devel] Variables encoded twice
Posted: Fri Aug 01, 2008 12:50 am
* Bernd Arnold [31.07.2008 21:04]:
> 1.49 is titled "XSS vulnerability fixes".
>
> I don't know the depth of security, but unencoded strings can change
> the behavior if something like special characters (' &) are
> submitted. I think it's important that such things are encrypted,
> though I also think it's sufficient when a function like PHP's
> htmlentities function is used (keeps spaces as spaces, not +). Maybe
> host_name for example cannot contain such characters, but it's safer
> to encode everything.
The submitted parameters are processed by sanitize_cgi_input() at the
start of the CGI. There is no added security if we process them again at
this point.
Example: If you have a host with the name SDSL:Customer you can call
avail.cgi for the first time with no problems. But if you change the
timeperiod and resubmit, the hostname is converted to SDSL%3ACustomer
and you get an error.
Regards,
Armin Wolfermann
OSN Online Service Nuremberg
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]
> 1.49 is titled "XSS vulnerability fixes".
>
> I don't know the depth of security, but unencoded strings can change
> the behavior if something like special characters (' &) are
> submitted. I think it's important that such things are encrypted,
> though I also think it's sufficient when a function like PHP's
> htmlentities function is used (keeps spaces as spaces, not +). Maybe
> host_name for example cannot contain such characters, but it's safer
> to encode everything.
The submitted parameters are processed by sanitize_cgi_input() at the
start of the CGI. There is no added security if we process them again at
this point.
Example: If you have a host with the name SDSL:Customer you can call
avail.cgi for the first time with no problems. But if you change the
timeperiod and resubmit, the hostname is converted to SDSL%3ACustomer
and you get an error.
Regards,
Armin Wolfermann
OSN Online Service Nuremberg
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]