ANNOUNCE: Nagios Looking Glass 1.0.0#PRE is here!

[Andy Shellam (Mailing Lists)]

Hi Hans,

Doesn't sound rude at all, after all this is why it's a beta.
The only test that I think needs to be done is to check if $_GET['fid'] 
is a number.

If it was to a database I'd definitely make it more secure, but there is 
no way you can forcibly pass a parameter to NLG.
Because the content is rendered (and URLs built) by JavaScript, if you 
added ?fid=<whatever> to the query string, the JS ignores it and uses 
whatever values it holds internally (which are set when you do a select 
in the filter dropdown, and on initial load are set to 0.)

If you requested the full URL that's passed to the poller back-end, 
you'd find it extremely difficult to decipher it without the 
s3_class.inc.php file (as this is what the client front-end does) and to 
the average Joe it'd be a load of figures and numbers (sure you could 
base64 decode the relevant part of it, but it'd mean nothing without the 
s3_class.inc.php.)

Also if you passed an invalid filter to the poller, I believe (off the 
top of my head) it'd set it to 0 anyway.  Either that, or it'd just 
return no servers.

And you should setup HTTP authentication to the poller's back-end script 
so your average Joe can't access it without the correct username and 
password anyway.

For 1.0.0 I'll add the check to make sure the parameters are integers, 
but in the end I think it's a case of much ado about nothing.

All the above goes for the group ID as well (gid.)

Thanks,

Andy.

Hans Wolters wrote:
>
> Hi,
>
> > Subject: [Nagios-users] ANNOUNCE: Nagios Looking Glass 1.0.0#PRE is 
> here!
>
> > It's been a long road the last couple of weeks, but Nagios Looking Glass
> > 1.0.0#PRE is *now out* for public beta-testing.
>
> I do not want to sound rude but could you please consider making it a bit
> more sucure before you name it 1.0?
>
> if (isset($_GET['fid']))
>         {
>                 // check if we have already given a query string to 
> $ServerFeedURL
>                 if (strpos($ServerFeed_URL, "?") === false)
>                 {
>                         $ServerFeed_URL = $ServerFeed_URL . "?fid=" . 
> $_GET['fid'];
>                 } else {
>                         $ServerFeed_URL = $ServerFeed_URL . "&fid=" . 
> $_GET['fid'];
>                 }
>         }
>
> In general it is not a good idea to pass untested variables into an url.
>
> Best regards,
>
> Hans Wolters
>
> !DSPAM:37,4592ff7831941526112303! 


-- 
Andy Shellam
NetServe Support Team

the Mail Network
"an alternative in a standardised world"

p: +44 (0) 121 288 0832/0839
m: +44 (0) 7818 000834


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null