[omd-commits] OMD Git: omd: nagios: Add patch fixin a XSS attack

git version control git at mathias-kettner.de
Thu Jun 9 16:44:24 CEST 2011


Module:   omd
Branch:   master
Commit:   27dd0e99a74a9dbcfa3e3008c964352813669106
URL:      http://omdistro.org/projects/omd/repository/revisions/27dd0e99a74a9dbcfa3e3008c964352813669106

Author:   Mathias Kettner <mk at mathias-kettner.de>
Date:     Thu Jun  9 16:36:00 2011 +0200
Commiter: Mathias Kettner <mk at mathias-kettner.de>
Date:     Thu Jun  9 16:36:00 2011 +0200

nagios: Add patch fixin a XSS attack

Thanks to Michael Friedrich

---

 ...ulnerability-in-config-statusmap.cgi-tracke.dif |   39 ++++++++++++++++++++
 1 files changed, 39 insertions(+), 0 deletions(-)

diff --git a/packages/nagios/patches/0001-fix-xss-vulnerability-in-config-statusmap.cgi-tracke.dif b/packages/nagios/patches/0001-fix-xss-vulnerability-in-config-statusmap.cgi-tracke.dif
new file mode 100644
index 0000000..b420859
--- /dev/null
+++ b/packages/nagios/patches/0001-fix-xss-vulnerability-in-config-statusmap.cgi-tracke.dif
@@ -0,0 +1,39 @@
+From a99dfd0b8b883c042b7f43cbb699c3bc06c67953 Mon Sep 17 00:00:00 2001
+From: Michael Friedrich <michael.friedrich at univie.ac.at>
+Date: Wed, 8 Jun 2011 12:51:35 +0200
+Subject: [PATCH] fix xss vulnerability in config/statusmap.cgi trackerids #207 #224
+
+---
+ cgi/config.c    |    2 +-
+ cgi/statusmap.c |    2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/cgi/config.c b/cgi/config.c
+index 8f5b0a4..5d8aa90 100644
+--- a/cgi/config.c
++++ b/cgi/config.c
+@@ -426,7 +426,7 @@ int process_cgivars(void){
+ 				error=TRUE;
+ 				break;
+ 			        }
+-			strncpy(to_expand,variables[x],MAX_COMMAND_BUFFER);
++			strncpy(to_expand,escape_string(variables[x]),MAX_COMMAND_BUFFER);
+ 			to_expand[MAX_COMMAND_BUFFER-1]='\0';
+ 		        }
+ 
+diff --git a/cgi/statusmap.c b/cgi/statusmap.c
+index a77352d..7f8bc3f 100644
+--- a/cgi/statusmap.c
++++ b/cgi/statusmap.c
+@@ -2404,7 +2404,7 @@ void print_layer_url(int get_method){
+ 
+ 	for(temp_layer=layer_list;temp_layer!=NULL;temp_layer=temp_layer->next){
+ 		if(get_method==TRUE)
+-			printf("&layer=%s",temp_layer->layer_name);
++			printf("&layer=%s",escape_string(temp_layer->layer_name));
+ 		else
+ 			printf("<input type='hidden' name='layer' value='%s'>\n",escape_string(temp_layer->layer_name));
+ 	        }
+-- 
+1.7.1.1
+



More information about the omd-commits mailing list