Javascript injection / insufficient escaping in web interface

Issue #879 resolved
Hanno Böck created an issue

There's insufficient HTML escaping in the web interface leading to an XSS issue. One can e.g. inject javascript via the host name or via check rules.

XSS is usually considered a security vulnerability, though in this case I find it extremely unlikely to pose any practical threat, as the admin should usually control the config file content. It would however be imaginable with autogenerated config files for user-controlled data. But still I'd propose to properly escape all output in the webinterface.

Example rule:

check host foo with address <svg/onload=alert`1`>
    if failed host <svg/onload=alert`2`> port 25 then alert

Comments (2)

  1. Log in to comment