New CCM - Descriptions can't have apostrophies

This support forum board is for support questions relating to Nagios XI, our flagship commercial network monitoring solution.
Locked
User avatar
CGraham
Posts: 115
Joined: Tue Aug 16, 2011 2:43 pm

New CCM - Descriptions can't have apostrophies

Post by CGraham »

In the new CCM you cannot save a config that has an apostrophe (') in the description. You get a SQL parse error.... perhaps the field is vulnerable to SQL injection?
Top
mguthrie
Posts: 4380
Joined: Mon Jun 14, 2010 10:21 am

Re: New CCM - Descriptions can't have apostrophies

Post by mguthrie »

Actually we uncovered a bug where the javascript form validation wasn't all working properly for all objects in the new CCM, which should be fixed in 1.3. Apostrophe's are actually considered an illegal character for a object name to Nagios.

Code: Select all

illegal_object_name_chars=`~!$%^&*|'"<>?,()=
I'll double check through the code, but every POST/GET variable processed by the new CCM should be getting sanitized against XSS and SQL injection attacks, which was another big reason for the new version of it.
Top
User avatar
CGraham
Posts: 115
Joined: Tue Aug 16, 2011 2:43 pm

Re: New CCM - Descriptions can't have apostrophies

Post by CGraham »

Good news. Thanks.
Top
Locked

Return to “Nagios XI”