ANNOUNCE: Nagios Looking Glass 1.0.0#PRE is here!

Robert Hajime Lanning lanning at lanning.cc
Thu Dec 28 08:41:20 CET 2006

Previous message: ANNOUNCE: Nagios Looking Glass 1.0.0#PRE is here!
Next message: ANNOUNCE: Nagios Looking Glass 1.0.0#PRE is here!
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

<quote who="Andy Shellam (Mailing Lists)">
>  From the client-side, the URL that's built in the JavaScript comes
> out to:
>
> "?view=server&fid=1&gid=3"
>
> That's the most info you'll get out of the JS - pass that to the
> s3_client.php page and you'll get an un-styled, plain format of the
> page that's rendered when you click on a "Server" link.
> What benefit is there (to a normal user or a hacker) of wanting to
> change the fid and gid?  They do nothing except choose which data you
> want to get back to the client front-end.

It might not be a security issue to NLG, but passing any variable
back to the client, unsanitized, is an opening for cross site
scripting (XSS).  This is where an attacker feeds the URL for
your site (including the bad data) to an unknowing client, that
then receives the bad data as part of the returned web page from
your site.

It is usually an attack directly to the web browser, or to another
site, relayed by your site.

So, ALL variables that contain data from outside the server
environment must be sanitized before use.  This is why perl has
their "taint" mode.  Where all variables that contain external
data are "tainted" until sanitized through substitutions and the
likes.  And it gives errors if a "tainted" variable is used
before being sanitized.

In PHP, you have to be aware, as it does not have a "taint" like
mode.

-- 
And, did Galoka think the Ulus were too ugly to save?
                                         -Centauri


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null

Previous message: ANNOUNCE: Nagios Looking Glass 1.0.0#PRE is here!
Next message: ANNOUNCE: Nagios Looking Glass 1.0.0#PRE is here!
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Users mailing list