[dev.icinga.com #1605] Cross-Site Scripting vulnerability in Icinga #638
Comments
Updated by mfriedrich on 2011-06-01 15:15:56 +00:00
|
Updated by mfriedrich on 2011-06-01 15:16:49 +00:00
yep, verified and tested in existing 1.4.0 setups. |
Updated by mfriedrich on 2011-06-01 15:41:47 +00:00 thanks for the proposed patch, but this does only small fixing in the expanding itsself. the overall expand GET variable can be used all over config.cgi - e.g. hosts and using the 'show only' search form will cause the url to look like this config.cgi?type=hosts&expand=<body+onload%3Dalert(666)> generating another xss vulnerability on the hosts page. the proposed fix attempts to already escape the string when reading the GET variables, and this is verified working all over the place. i will push it to git upstream and r1.4 for an 1.4.1 release soon to be out there. |
Updated by mfriedrich on 2011-06-01 15:49:57 +00:00
resolved in 32 minutes ;-D |
Updated by mfriedrich on 2011-06-01 16:54:16 +00:00
Applied in changeset cd50422. |
Updated by mfriedrich on 2011-06-08 21:22:01 +00:00
ok, i've now figured what i might have missed on the overall hard quickfix. your proposed patch is fine, unless someone sets escape_html_tags=0 in cgi.cfg (happens when using check_multi e.g.). there are to other places where just an html_encode happens instead of escape_string (the 2. line and the input form).
command_args[i] isn't escaped too. so the variety with 2 introduced search forms plus multiple arguments being interpreted needs overall escaping. the clean way is to revoke all html_encode onto the expander/command_args, and only let escape_string happen when it's printf'd. tested with escape_html_tags 0 and 1. |
Updated by mfriedrich on 2011-06-15 16:48:58 +00:00
|
Updated by mfriedrich on 2011-06-26 15:35:37 +00:00
|
Updated by mfriedrich on 2014-12-08 09:42:15 +00:00
|
This issue has been migrated from Redmine: https://dev.icinga.com/issues/1605
Created by sschurtz on 2011-06-01 14:46:03 +00:00
Assignee: mfriedrich
Status: Resolved (closed on 2011-06-26 15:35:37 +00:00)
Target Version: 1.4.2
Last Update: 2014-12-08 09:42:15 +00:00 (in Redmine)
Changesets
2011-06-01 15:46:42 +00:00 by mfriedrich cbe9993
2011-06-01 15:48:15 +00:00 by mfriedrich cd50422
2011-06-08 21:25:49 +00:00 by mfriedrich 757be9b
2011-06-09 11:59:14 +00:00 by mfriedrich bd1ae15
Relations:
The text was updated successfully, but these errors were encountered: