nagios2 plugin output sanitization

Christoph Biedl nagios.cvvz at manchmal.in-ulm.de
Wed Nov 7 10:13:21 CET 2007


Ethan Galstad wrote...

> The only thing that really needs to be escaped/sanitized in my opinion 
> is the plugin output.  Everything else (host names, etc.) is specified 
> by the admin in the config files.  The output from plugin can vary 
> each/every invocation, so the safety of the output it unknown at any 
> given time.

That's my point.  The plugin output is still sent to the browser as-is,
in other words,

| define command {
|     command_name xss
|     command_line /bin/echo 'Hello <font color="red" size="+10">world</font>.'
| }

stil opens a door for a lot of funny things as long as an attacker is
able to control plugin output.

My workaround, as also sent to the Debian BTS:

--- nagios-2.10.ORIG/cgi/cgiutils.c     2007-10-21 16:39:51.000000000 +0200
+++ nagios-2.10/cgi/cgiutils.c  2007-11-07 10:11:05.000000000 +0100
@@ -1418,8 +1418,8 @@
 char * strip_plugin_html(char *input){

        /* TODO */
-
-       return input;
+       /* Use html_encode for the time being */
+       return html_encode (input);
        }

    Christoph

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/




More information about the Developers mailing list