Antwort: [Nagios-devel] clean_macro_chars() no longer called in utils.c in
Posted: Fri Feb 04, 2005 4:40 am
Hello Stanley,
> Nagios 2.0b1 appears not to clean illegal characters from certain macros =
> as documented.
I've already tried to point that out a few times, noone listened though
> Whereas 1.2 has a logical case formed by an 'if then else if ..' chain=20
> to clean the macro content depending on the macro name, the 2.0b1 code=20
> relies on a flag named clean=5Fmacro that is only cleared (as far as I=20
> can see).
Not only does that hamper the functionality of Nagios by quite a bit
(I still can't see the output of check=5Fnt DISKUSAGE Servicechecks...),
but it poses a BIG security risk too.
Just think of handcrafted passive checks. It would take me aprox 5 mins
to break the system apart, since some macro outputs are parsed by=20
shellscripts.
sash
--------------------------------------------------
Sascha Runschke
Netzwerk Administration
IT-Services
ABIT AG
Robert-Bosch-Str. 1
40668 Meerbusch
Tel.:+49 (0) 2150.9153.226
mailto:[email protected]
http://www.abit.net
http://www.abit-epos.net
http://www.my-academy.net
--------------------------------------------------
Der Inhalt dieser Email sowie die Anh=E4nge sind ausschlie=DFlich f=FCr den=
=20
bezeichneten Adressaten bestimmt. Wenn Sie nicht der vorgesehene Adressat=20
dieser Email oder dessen Vertreter sein sollten, so beachten Sie bitte,=20
da=DF jede Form der Kenntnisnahme, Ver=F6ffentlichung, Vervielf=E4ltigung =
oder=20
Weitergabe des Inhalts dieser Email unzul=E4ssig ist. Wir m=F6chten Sie=20
au=DFerdem darauf hinweisen, da=DF die Kommunikation per Email =FCber das=20
Internet unsicher ist, da fuer unberechtigte Dritte grunds=E4tzlich die=20
M=F6glichkeit der Kenntnisnahme und Manipulation besteht. Wenn Sie diese=20
Nachricht versehentlich erhalten, informieren Sie bitte den Absender und=20
l=F6schen diese Nachricht mit den Anh=E4ngen. Herzlichen Dank
The information and any attachments contained in this email are intended=20
solely for the addressee. Access to this email by anyone else is=20
unauthorized. If you are not the intended recipient, any form of=20
disclosure, reproduction, distribution or any action taken or refrained=20
from in reliance on it, is prohibited and may be unlawful. We also like to =
inform you that communication via email over the internet is insecure=20
because third parties may have the possibility to access and manipulate=20
emails. If you have received the message in error, please advise the=20
sender and delete the message and any attachments. Thank you very much.
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]
> Nagios 2.0b1 appears not to clean illegal characters from certain macros =
> as documented.
I've already tried to point that out a few times, noone listened though
> Whereas 1.2 has a logical case formed by an 'if then else if ..' chain=20
> to clean the macro content depending on the macro name, the 2.0b1 code=20
> relies on a flag named clean=5Fmacro that is only cleared (as far as I=20
> can see).
Not only does that hamper the functionality of Nagios by quite a bit
(I still can't see the output of check=5Fnt DISKUSAGE Servicechecks...),
but it poses a BIG security risk too.
Just think of handcrafted passive checks. It would take me aprox 5 mins
to break the system apart, since some macro outputs are parsed by=20
shellscripts.
sash
--------------------------------------------------
Sascha Runschke
Netzwerk Administration
IT-Services
ABIT AG
Robert-Bosch-Str. 1
40668 Meerbusch
Tel.:+49 (0) 2150.9153.226
mailto:[email protected]
http://www.abit.net
http://www.abit-epos.net
http://www.my-academy.net
--------------------------------------------------
Der Inhalt dieser Email sowie die Anh=E4nge sind ausschlie=DFlich f=FCr den=
=20
bezeichneten Adressaten bestimmt. Wenn Sie nicht der vorgesehene Adressat=20
dieser Email oder dessen Vertreter sein sollten, so beachten Sie bitte,=20
da=DF jede Form der Kenntnisnahme, Ver=F6ffentlichung, Vervielf=E4ltigung =
oder=20
Weitergabe des Inhalts dieser Email unzul=E4ssig ist. Wir m=F6chten Sie=20
au=DFerdem darauf hinweisen, da=DF die Kommunikation per Email =FCber das=20
Internet unsicher ist, da fuer unberechtigte Dritte grunds=E4tzlich die=20
M=F6glichkeit der Kenntnisnahme und Manipulation besteht. Wenn Sie diese=20
Nachricht versehentlich erhalten, informieren Sie bitte den Absender und=20
l=F6schen diese Nachricht mit den Anh=E4ngen. Herzlichen Dank
The information and any attachments contained in this email are intended=20
solely for the addressee. Access to this email by anyone else is=20
unauthorized. If you are not the intended recipient, any form of=20
disclosure, reproduction, distribution or any action taken or refrained=20
from in reliance on it, is prohibited and may be unlawful. We also like to =
inform you that communication via email over the internet is insecure=20
because third parties may have the possibility to access and manipulate=20
emails. If you have received the message in error, please advise the=20
sender and delete the message and any attachments. Thank you very much.
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]