Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
[dev.icinga.com #1605] Cross-Site Scripting vulnerability in Icinga #638
This issue has been migrated from Redmine: https://dev.icinga.com/issues/1605
Created by sschurtz on 2011-06-01 14:46:03 +00:00
2011-06-01 15:46:42 +00:00 by mfriedrich cbe9993
2011-06-01 15:48:15 +00:00 by mfriedrich cd50422
2011-06-08 21:25:49 +00:00 by mfriedrich 757be9b
2011-06-09 11:59:14 +00:00 by mfriedrich bd1ae15
Updated by mfriedrich on 2011-06-01 15:41:47 +00:00
thanks for the proposed patch, but this does only small fixing in the expanding itsself.
the overall expand GET variable can be used all over config.cgi - e.g. hosts and using the 'show only' search form will cause the url to look like this
generating another xss vulnerability on the hosts page.
the proposed fix attempts to already escape the string when reading the GET variables, and this is verified working all over the place.
i will push it to git upstream and r1.4 for an 1.4.1 release soon to be out there.
Updated by mfriedrich on 2011-06-08 21:22:01 +00:00
ok, i've now figured what i might have missed on the overall hard quickfix.
your proposed patch is fine, unless someone sets escape_html_tags=0 in cgi.cfg (happens when using check_multi e.g.).
there are to other places where just an html_encode happens instead of escape_string (the 2. line and the input form).
command_args[i] isn't escaped too. so the variety with 2 introduced search forms plus multiple arguments being interpreted needs overall escaping.
the clean way is to revoke all html_encode onto the expander/command_args, and only let escape_string happen when it's printf'd.
tested with escape_html_tags 0 and 1.