Project

General

Profile

Bug #8269

Passing an invalid RRD file to rrd_fetch_json.php via the left= parameter in POST prints the supplied name to the user without encoding

Added by Jim Pingle 7 months ago. Updated 5 months ago.

Status:
Resolved
Priority:
High
Assignee:
Category:
Status_Monitoring
Target version:
Start date:
01/10/2018
Due date:
% Done:

100%

Estimated time:
Affected Version:
2.4.x
Affected Architecture:
All

Description

Passing an invalid RRD file to rrd_fetch_json.php via the left= parameter in POST prints the supplied name without encoding, leading to a potential XSS vector.

Two potential issues here:

1. rrd_fetch_json.php needs to check if a file exists and handle that case better, either skipping actions or returning a generic error without supplying the full output
2. status_monitoring.php needs to not print the error messages exactly as they are sent from rrd_fetch_json.php so that HTML or other scripts cannot be passed back via error messages.

To me, I have a fix.

History

#1 Updated by Jim Pingle 7 months ago

  • Status changed from Confirmed to Feedback

#2 Updated by Jim Pingle 7 months ago

  • % Done changed from 0 to 100

#3 Updated by Jim Pingle 7 months ago

  • Status changed from Feedback to Resolved

All branches have updated packages and they are all working as expected with the fix in place.

#4 Updated by Jim Pingle 5 months ago

  • Private changed from Yes to No

Also available in: Atom PDF