[PATCH] fix xss vulnerability in config/statusmap.cgi trackerids #207 #224
Posted: Fri Jun 10, 2011 7:57 am
This is a multi-part message in MIME format.
--------------070600050609060201000802
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
hi,
on your tracker, 2 issues point to several xss vulnerabilities. since
we've fixed them in icinga, and previous command expander needed an
enhanced patch too, i decided to push that over her too while adding
that patch to the omd package.
description is in icinga's dev tracker
https://dev.icinga.org/issues/1281
https://dev.icinga.org/issues/1605
this is a combined fix of those 2 issues #207 #224 @ tracker.nagios.org,
diff'ed against 3.2.3 release on holger's git repository.
feel free to to accept it or not, as usual i won't provide any tests as
user feedback was sufficient.
kind regards,
michael
--
DI (FH) Michael Friedrich
Vienna University Computer Center
Universitaetsstrasse 7 A-1010 Vienna, Austria
email: [email protected]
phone: +43 1 4277 14359
mobile: +43 664 60277 14359
fax: +43 1 4277 14338
web: http://www.univie.ac.at/zid
http://www.aco.net
Icinga Core& IDOUtils Developer
http://www.icinga.org
--------------070600050609060201000802
Content-Type: text/x-diff;
name="0001-fix-xss-vulnerability-in-config-statusmap.cgi-tracke.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename*0="0001-fix-xss-vulnerability-in-config-statusmap.cgi-tracke.pa";
filename*1="tch"
From 3107f838f6d3949d09a220cf8cb6c04ca5b0c4e7 Mon Sep 17 00:00:00 2001
From: Michael Friedrich
Date: Fri, 10 Jun 2011 09:49:47 +0200
Subject: [PATCH] fix xss vulnerability in config/statusmap.cgi trackerids #207 #224
the main cause for this in config.cgi is the lack to really
escaping malicious html strings like the injected JS example
are showing.
the proposed fix only targets the local expander form, while you
can also use the other config locations (e.g. hosts) to also
use the expand GET attribute and inject that.
even more, some escape_html_tag=1 setting in cgi.cfg will prevent
the most. but setting this to 0 (disabling for e.g. check_multi
output) will cause more evil than expected.
this patch addresses all possible use cases and fixes them
accordingly. next to that, it also includes the statusmaps.cgi
fix too.
refer to https://dev.icinga.org/issues/1605 for a detailed
analysis.
---
cgi/config.c | 40 ++++++++++++++++++++--------------------
cgi/statusmap.c | 2 +-
2 files changed, 21 insertions(+), 21 deletions(-)
diff --git a/cgi/config.c b/cgi/config.c
index 8f5b0a4..a58f265 100644
--- a/cgi/config.c
+++ b/cgi/config.c
@@ -109,7 +109,7 @@ void print_expand_input(int type){
else if (type==DISPLAY_HOSTESCALATIONS){ seldesc=" Escalations for Host"; }
printf("Show Only%s:\n",seldesc);
printf("",html_encode(to_expand,FALSE));
+ printf("value='%s'>",escape_string(to_expand));
}
int main(void){
@@ -464,7 +464,7 @@ void display_hosts(void){
}
printf("Host%s%s\n",
- (*to_expand=='\0'?"s":" "),(*to_expand=='\0'?"":html_encode(to_expand,FALSE)));
+ (*to_expand=='\0'?"s":" "),(*to_expand=='\0'?"":escape_string(to_expand)));
printf("\n");
printf("\n");
@@ -794,7 +794,7 @@ void display_hostgroups(void){
}
printf("Host Group%s%s\n",
- (*to_expand=='\0'?"s":" "),(*to_expand=='\0'?"":html_encode(to_expand,FALSE)));
+ (*to_expand=='\0'?"s":" "),(*to_expand=='\0'?"":escape_string(to_expand)));
printf("\n");
printf("\n");
@@ -869,7 +869,7 @@ void display_servicegroups(void){
}
printf("Service Group%s%s\n",
- (*to_expand=='\0'?"s":" "),(*to_expand=='\0'?"":html_encode(to_expand,FALSE)));
+ (*to_expand=='\0'?"s":" "),(*to_expand=='\0'?"":escape_string(to_expand)));
printf("\n");
printf("\n");
...[email truncated]...
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]
--------------070600050609060201000802
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
hi,
on your tracker, 2 issues point to several xss vulnerabilities. since
we've fixed them in icinga, and previous command expander needed an
enhanced patch too, i decided to push that over her too while adding
that patch to the omd package.
description is in icinga's dev tracker
https://dev.icinga.org/issues/1281
https://dev.icinga.org/issues/1605
this is a combined fix of those 2 issues #207 #224 @ tracker.nagios.org,
diff'ed against 3.2.3 release on holger's git repository.
feel free to to accept it or not, as usual i won't provide any tests as
user feedback was sufficient.
kind regards,
michael
--
DI (FH) Michael Friedrich
Vienna University Computer Center
Universitaetsstrasse 7 A-1010 Vienna, Austria
email: [email protected]
phone: +43 1 4277 14359
mobile: +43 664 60277 14359
fax: +43 1 4277 14338
web: http://www.univie.ac.at/zid
http://www.aco.net
Icinga Core& IDOUtils Developer
http://www.icinga.org
--------------070600050609060201000802
Content-Type: text/x-diff;
name="0001-fix-xss-vulnerability-in-config-statusmap.cgi-tracke.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename*0="0001-fix-xss-vulnerability-in-config-statusmap.cgi-tracke.pa";
filename*1="tch"
From 3107f838f6d3949d09a220cf8cb6c04ca5b0c4e7 Mon Sep 17 00:00:00 2001
From: Michael Friedrich
Date: Fri, 10 Jun 2011 09:49:47 +0200
Subject: [PATCH] fix xss vulnerability in config/statusmap.cgi trackerids #207 #224
the main cause for this in config.cgi is the lack to really
escaping malicious html strings like the injected JS example
are showing.
the proposed fix only targets the local expander form, while you
can also use the other config locations (e.g. hosts) to also
use the expand GET attribute and inject that.
even more, some escape_html_tag=1 setting in cgi.cfg will prevent
the most. but setting this to 0 (disabling for e.g. check_multi
output) will cause more evil than expected.
this patch addresses all possible use cases and fixes them
accordingly. next to that, it also includes the statusmaps.cgi
fix too.
refer to https://dev.icinga.org/issues/1605 for a detailed
analysis.
---
cgi/config.c | 40 ++++++++++++++++++++--------------------
cgi/statusmap.c | 2 +-
2 files changed, 21 insertions(+), 21 deletions(-)
diff --git a/cgi/config.c b/cgi/config.c
index 8f5b0a4..a58f265 100644
--- a/cgi/config.c
+++ b/cgi/config.c
@@ -109,7 +109,7 @@ void print_expand_input(int type){
else if (type==DISPLAY_HOSTESCALATIONS){ seldesc=" Escalations for Host"; }
printf("Show Only%s:\n",seldesc);
printf("",html_encode(to_expand,FALSE));
+ printf("value='%s'>",escape_string(to_expand));
}
int main(void){
@@ -464,7 +464,7 @@ void display_hosts(void){
}
printf("Host%s%s\n",
- (*to_expand=='\0'?"s":" "),(*to_expand=='\0'?"":html_encode(to_expand,FALSE)));
+ (*to_expand=='\0'?"s":" "),(*to_expand=='\0'?"":escape_string(to_expand)));
printf("\n");
printf("\n");
@@ -794,7 +794,7 @@ void display_hostgroups(void){
}
printf("Host Group%s%s\n",
- (*to_expand=='\0'?"s":" "),(*to_expand=='\0'?"":html_encode(to_expand,FALSE)));
+ (*to_expand=='\0'?"s":" "),(*to_expand=='\0'?"":escape_string(to_expand)));
printf("\n");
printf("\n");
@@ -869,7 +869,7 @@ void display_servicegroups(void){
}
printf("Service Group%s%s\n",
- (*to_expand=='\0'?"s":" "),(*to_expand=='\0'?"":html_encode(to_expand,FALSE)));
+ (*to_expand=='\0'?"s":" "),(*to_expand=='\0'?"":escape_string(to_expand)));
printf("\n");
printf("\n");
...[email truncated]...
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]