Page 1 of 1
New CCM - Descriptions can't have apostrophies
Posted: Thu Dec 06, 2012 9:48 am
by CGraham
In the new CCM you cannot save a config that has an apostrophe (') in the description. You get a SQL parse error.... perhaps the field is vulnerable to SQL injection?
Re: New CCM - Descriptions can't have apostrophies
Posted: Thu Dec 06, 2012 10:08 am
by mguthrie
Actually we uncovered a bug where the javascript form validation wasn't all working properly for all objects in the new CCM, which should be fixed in 1.3. Apostrophe's are actually considered an illegal character for a object name to Nagios.
Code: Select all
illegal_object_name_chars=`~!$%^&*|'"<>?,()=
I'll double check through the code, but every POST/GET variable processed by the new CCM should be getting sanitized against XSS and SQL injection attacks, which was another big reason for the new version of it.
Re: New CCM - Descriptions can't have apostrophies
Posted: Thu Dec 06, 2012 11:24 am
by CGraham
Good news. Thanks.