escaping/sanitizing plugin output in nagios web interfaces

[Ethan Galstad]

sean finney wrote:
> tjena andreas,
> 
> On Tue, 2007-04-03 at 17:03 +0200, Andreas Ericsson wrote:
> 
>>> This same bug exists in config.c when displaying arguments TO the plugins.
>>>
>> That's not a bug, and in no way a security issue. If someone has access to
>> modify the nagios config files you should stop worrying about XSS attacks
>> for the same reason you shouldn't try to plug a leak in the kitchen sink
>> when your house is on fire.
> 
> granted i haven't actually checked this, but what if you have a
> check_command defined as "/path/to/something < /path/to/input" ?  not a
> security issue in this regard, but i'd say a bug if it mucks with the
> displaying of the content.
> 
> in any event i'd say it's a matter that should still be worked out with
> the plugin output presentation.  
> 
> 
> 	sean
> 

I think its a good idea to escape HTML whenever possible.  I think these 
kinds of problems can all be avoided by simply escaping the < and > 
characters.  I've updated the html_encode() function and changed the 
CGIs to encode all plugin/perfdata output in the CGIs, as well as the 
command definitions in the config CGI.  I think I've got the code 
changed in all the necessary places.  Patches will be made the CVS code 
(Nagios 2.x and 3/HEAD branches) shortly.


Ethan Galstad,
Nagios Developer
---
Email: nagios at nagios.org
Website: http://www.nagios.org

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV