- changed status to open
Javascript injection / insufficient escaping in web interface
Issue #879
resolved
There's insufficient HTML escaping in the web interface leading to an XSS issue. One can e.g. inject javascript via the host name or via check rules.
XSS is usually considered a security vulnerability, though in this case I find it extremely unlikely to pose any practical threat, as the admin should usually control the config file content. It would however be imaginable with autogenerated config files for user-controlled data. But still I'd propose to properly escape all output in the webinterface.
Example rule:
check host foo with address <svg/onload=alert`1`>
if failed host <svg/onload=alert`2`> port 25 then alert
Comments (2)
-
repo owner -
repo owner - changed status to resolved
Fixed: Issue
#879: The HTML interface didn't escape strings that are part of monit configuration file. Thanks to Hanno Boeck for report.→ <<cset 7fb599c6dee8>>
- Log in to comment