Den 07-02-2015 kl. 07:43 skrev J.C. Cleaver:
Hopefully Xymon 5 brings us encrypted and authenticated transport
between the client and server as that will help prevent this type of
attack, as well as protect your sensitive info in transit :-)
This is really the solution -- end-to-end encoding using key trust; right
now the most client security that you have is IP-based. But even if your
transport mechanism is over an stunnel, you're really still at the mercy
of the original source. A local user could execute a script placing a
specially crafted message in $0, which would show up in the 'ps' output
and might survive <PRE> wrapping in the 'procs' test to cause a browser
problem, for example.
Xymon really isn't designed for a "hostile" environment. You can also
trigger all sorts of amusing cross-site scripting on web status pages,
since the raw HTML returned from the web server is included as-is in the
status page.
But eliminating that would also remove the very nice ability to provide
an intelligent status page from your web application ...
Regards,
Henrik