Project

General

Profile

Actions

Bug #8269

closed

Passing an invalid RRD file to rrd_fetch_json.php via the left= parameter in POST prints the supplied name to the user without encoding

Added by Jim Pingle almost 7 years ago. Updated over 6 years ago.

Status:
Resolved
Priority:
High
Assignee:
Category:
Status_Monitoring
Target version:
Start date:
01/10/2018
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Affected Version:
2.4.x
Affected Plus Version:
Affected Architecture:
All

Description

Passing an invalid RRD file to rrd_fetch_json.php via the left= parameter in POST prints the supplied name without encoding, leading to a potential XSS vector.

Two potential issues here:

1. rrd_fetch_json.php needs to check if a file exists and handle that case better, either skipping actions or returning a generic error without supplying the full output
2. status_monitoring.php needs to not print the error messages exactly as they are sent from rrd_fetch_json.php so that HTML or other scripts cannot be passed back via error messages.

To me, I have a fix.

Actions #1

Updated by Jim Pingle almost 7 years ago

  • Status changed from Confirmed to Feedback
Actions #2

Updated by Jim Pingle almost 7 years ago

  • % Done changed from 0 to 100
Actions #3

Updated by Jim Pingle almost 7 years ago

  • Status changed from Feedback to Resolved

All branches have updated packages and they are all working as expected with the fix in place.

Actions #4

Updated by Jim Pingle over 6 years ago

  • Private changed from Yes to No
Actions

Also available in: Atom PDF