Re: [Nagios-devel] nagios2 plugin output sanitization
Posted: Wed Nov 07, 2007 1:13 am
Ethan Galstad wrote...
> The only thing that really needs to be escaped/sanitized in my opinion
> is the plugin output. Everything else (host names, etc.) is specified
> by the admin in the config files. The output from plugin can vary
> each/every invocation, so the safety of the output it unknown at any
> given time.
That's my point. The plugin output is still sent to the browser as-is,
in other words,
| define command {
| command_name xss
| command_line /bin/echo 'Hello world.'
| }
stil opens a door for a lot of funny things as long as an attacker is
able to control plugin output.
My workaround, as also sent to the Debian BTS:
--- nagios-2.10.ORIG/cgi/cgiutils.c 2007-10-21 16:39:51.000000000 +0200
+++ nagios-2.10/cgi/cgiutils.c 2007-11-07 10:11:05.000000000 +0100
@@ -1418,8 +1418,8 @@
char * strip_plugin_html(char *input){
/* TODO */
-
- return input;
+ /* Use html_encode for the time being */
+ return html_encode (input);
}
Christoph
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]
> The only thing that really needs to be escaped/sanitized in my opinion
> is the plugin output. Everything else (host names, etc.) is specified
> by the admin in the config files. The output from plugin can vary
> each/every invocation, so the safety of the output it unknown at any
> given time.
That's my point. The plugin output is still sent to the browser as-is,
in other words,
| define command {
| command_name xss
| command_line /bin/echo 'Hello world.'
| }
stil opens a door for a lot of funny things as long as an attacker is
able to control plugin output.
My workaround, as also sent to the Debian BTS:
--- nagios-2.10.ORIG/cgi/cgiutils.c 2007-10-21 16:39:51.000000000 +0200
+++ nagios-2.10/cgi/cgiutils.c 2007-11-07 10:11:05.000000000 +0100
@@ -1418,8 +1418,8 @@
char * strip_plugin_html(char *input){
/* TODO */
-
- return input;
+ /* Use html_encode for the time being */
+ return html_encode (input);
}
Christoph
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]