nagios2 plugin output sanitization

Christoph Biedl nagios.cvvz at manchmal.in-ulm.de
Thu Nov 8 09:34:45 CET 2007


John P. Rouillard wrote...

> Returning HTML from the plugin is not a bad thing especially with the
> larger output size we now have. I can easily see the plugin doing some
> diagnosis and providing a link to the page that describes the problem
> and solution for an operator to implement.

This makes sense.  But nagios will have to default to "plugin may send
harmful content", at least as long as plugins forward third parties data
as-is, e.g. the greeting banner of a NNTP server tested.  Volunteers to
audit all plugings currently availabe?

In other words, the current state of nagios2 allows another XSS attack
although this cannot be done easily.  My primary intent is to have that
problem fixed.

    Christoph

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/




More information about the Developers mailing list