Christoph Biedl wrote:
> Ethan Galstad wrote...
>
>> The only thing that really needs to be escaped/sanitized in my opinion
>> is the plugin output. Everything else (host names, etc.) is specified
>> by the admin in the config files. The output from plugin can vary
>> each/every invocation, so the safety of the output it unknown at any
>> given time.
>
> That's my point. The plugin output is still sent to the browser as-is,
> in other words,
>
> | define command {
> | command_name xss
> | command_line /bin/echo 'Hello world.'
> | }
>
> stil opens a door for a lot of funny things as long as an attacker is
> able to control plugin output.
>
> My workaround, as also sent to the Debian BTS:
>
> --- nagios-2.10.ORIG/cgi/cgiutils.c 2007-10-21 16:39:51.000000000 +0200
> +++ nagios-2.10/cgi/cgiutils.c 2007-11-07 10:11:05.000000000 +0100
> @@ -1418,8 +1418,8 @@
> char * strip_plugin_html(char *input){
>
> /* TODO */
> -
> - return input;
> + /* Use html_encode for the time being */
> + return html_encode (input);
> }
>
> Christoph
>
A patch will be in CVS shortly. I'll replace all strip_plugin_html()
calls with html_encode(), so it syncs with the 3.x stuff.
Ethan Galstad
Nagios Developer
___
Email: [email protected]
Web: www.nagios.org
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]