mirrors
/
Monitorix
mirror of https://github.com/mikaku/Monitorix.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fixed a fail to adequately sanitize request strings of malicious JavaScript #30

This commit is contained in:
Jordi Sanfeliu 2013-11-25 18:00:28 +01:00
parent a790c283a4
commit cc9ba672bb
2 changed files with 18 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
Changes
View File

@ -33,9 +33,12 @@
- Fixed the 'int' graph in order to be compatible with Excito B3 product.
(thanks to Patrick Fallberg, patrick AT fallberg.net for pointing this out)
- Fixed to correctly sanitize the input string in the built-in HTTP server
which led a number of security vulnerabilities. [#30]
which led into a number of security vulnerabilities. [#30]
- Fixed the lack of minimum definition in some data sources of 'bind' graph.
(thanks to Andreas Itzchak Rehberg, izzy AT qumran.org for pointing this out)
- Fixed a fail to adequately sanitize request strings of malicious JavaScript.
[#30]
(thanks to Jacob Amey, jamey AT securityinspection.com for pointing this out)
- Small fixes and typos.

16
lib/HTTPServer.pm
View File

@ -153,6 +153,18 @@ sub handle_request {
return if fork(); # parent returns
my $url = $cgi->path_info();
my $url_disarmed = $url;
# this should disarm all XSS and Cookie Injection attempts
$url_disarmed =~ s/\&/&/g;
$url_disarmed =~ s/\</&lt;/g;
$url_disarmed =~ s/\>/&gt;/g;
$url_disarmed =~ s/\"/&quot;/g;
$url_disarmed =~ s/\'/&#x27;/g;
$url_disarmed =~ s/\(/&#x28;/g;
$url_disarmed =~ s/\)/&#x29;/g;
$url_disarmed =~ s/\//&#x2F;/g;
$0 = "monitorix-httpd"; # change process' name
# check if the IP address is allowed to connect
@ -166,7 +178,7 @@ sub handle_request {
print "<title>403 Forbidden</title>\r\n";
print "</head><body>\r\n";
print "<h1>Forbidden</h1>\r\n";
print "<p>You don't have permission to access $url\r\n";
print "<p>You don't have permission to access $url_disarmed\r\n";
print "on this server.</p>\r\n";
print "<hr>\r\n";
print "<address>Monitorix HTTP Server listening at $host Port $port</address>\r\n";
@ -242,7 +254,7 @@ sub handle_request {
print "<title>404 Not Found</title>\r\n";
print "</head><body>\r\n";
print "<h1>Not Found</h1>\r\n";
print "The requested URL $url was not found on this server.<p>\r\n";
print "The requested URL $url_disarmed was not found on this server.<p>\r\n";
print "<hr>\r\n";
print "<address>Monitorix HTTP Server listening at $host Port $port</address>\r\n";
print "</body></html>\r\n";