ANNOUNCE: Nagios Looking Glass 1.0.0#PRE is here!

[Andy Shellam (Mailing Lists)]

Hi Robert,

Thanks for your description below but I'm still struggling to come to 
terms with how NLG can be used to attack another site.
Firstly, my understanding of an XSS attack is of the following:

- Client requests a page (eg. www.yahoo.com)
- Hacker strips the response packets off the wire and replaces them with 
packets that have come from (eg. www.google.co.uk)
- Client receives www.google.co.uk as a result of hacker's actions

Sure, this is a problem in sites with login/sensitive details stored in 
cookies etc, which is over any HTTP connection.

If this understanding is correct, is it Google's problem that a hacker 
is sending it's website in place of a different site?  It's a public 
site after all that anyone (including hackers) can access.
Now if the client receives bad data from NLG - the data is only "bad" in 
the sense that the server list will be empty, or will be reset to the 
default (filter/group 0.)  Dependent on the attack source, it may even 
only be part of the template (as the full template is requested in 3 
parts.)  How is this a security risk?

Also if the hacker strips the HTTP request from the client 
(www.yahoo.co.uk) and instead sends it to my webserver, it'll return an 
error code as it doesn't proxy - again where's the security risk?

Sorry if I'm way off, I'll happily work with anyone who wants to offer 
their support to make NLG "more secure" - but I still maintain the only 
additional check necessary is that "fid" and "gid" (GET variables) are 
integers - if they're not, reset them both to 0 (or throw an error if 
filter/group 0 don't exist.)  This will be implemented in 1.0.0.

In actual fact the poller already does this: (in "server/s3_poller.php", 
line 63 - settype($FilterToApply, "integer") and also line 73.)
Therefore if the variable is non-integer, it will be forced to 0.  The 
only one thing to do is check that the filter/group exists, and perform 
the same check on the client-side.

Thanks,

Andy.

Robert Hajime Lanning wrote:
> <quote who="Andy Shellam (Mailing Lists)">
>   
>>  From the client-side, the URL that's built in the JavaScript comes
>> out to:
>>
>> "?view=server&fid=1&gid=3"
>>
>> That's the most info you'll get out of the JS - pass that to the
>> s3_client.php page and you'll get an un-styled, plain format of the
>> page that's rendered when you click on a "Server" link.
>> What benefit is there (to a normal user or a hacker) of wanting to
>> change the fid and gid?  They do nothing except choose which data you
>> want to get back to the client front-end.
>>     
>
> It might not be a security issue to NLG, but passing any variable
> back to the client, unsanitized, is an opening for cross site
> scripting (XSS).  This is where an attacker feeds the URL for
> your site (including the bad data) to an unknowing client, that
> then receives the bad data as part of the returned web page from
> your site.
>
> It is usually an attack directly to the web browser, or to another
> site, relayed by your site.
>
> So, ALL variables that contain data from outside the server
> environment must be sanitized before use.  This is why perl has
> their "taint" mode.  Where all variables that contain external
> data are "tainted" until sanitized through substitutions and the
> likes.  And it gives errors if a "tainted" variable is used
> before being sanitized.
>
> In PHP, you have to be aware, as it does not have a "taint" like
> mode.
>
>   


-- 
Andy Shellam
NetServe Support Team

the Mail Network
"an alternative in a standardised world"

p: +44 (0) 121 288 0832/0839
m: +44 (0) 7818 000834


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null