Re: [Nagios-devel] escaping/sanitizing plugin output in nagios web
Posted: Tue Apr 03, 2007 7:04 am
David Schlecht wrote:
> On 4/2/07, sean finney wrote:
>>
>> hey ethan et al,
>>
>> someone raised a bug in the debian bts:
>>
>> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=416814
>>
>> basically bringing to light the fact that the output from various
>> plugins is placed verbatim into web page output. the theoretical
>> problem with this is that some remote host could place XSS code in the
>> output, making it possible to hijack/co-opt the nagios admin's web
>> browser to do naughty things.
>>
>>
> This same bug exists in config.c when displaying arguments TO the plugins.
>
That's not a bug, and in no way a security issue. If someone has access to
modify the nagios config files you should stop worrying about XSS attacks
for the same reason you shouldn't try to plug a leak in the kitchen sink
when your house is on fire.
EBBOM, please.
--
Andreas Ericsson [email protected]
OP5 AB www.op5.se
Tel: +46 8-230225 Fax: +46 8-230231
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]
> On 4/2/07, sean finney wrote:
>>
>> hey ethan et al,
>>
>> someone raised a bug in the debian bts:
>>
>> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=416814
>>
>> basically bringing to light the fact that the output from various
>> plugins is placed verbatim into web page output. the theoretical
>> problem with this is that some remote host could place XSS code in the
>> output, making it possible to hijack/co-opt the nagios admin's web
>> browser to do naughty things.
>>
>>
> This same bug exists in config.c when displaying arguments TO the plugins.
>
That's not a bug, and in no way a security issue. If someone has access to
modify the nagios config files you should stop worrying about XSS attacks
for the same reason you shouldn't try to plug a leak in the kitchen sink
when your house is on fire.
EBBOM, please.
--
Andreas Ericsson [email protected]
OP5 AB www.op5.se
Tel: +46 8-230225 Fax: +46 8-230231
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]