From cc9ba672bbf3015aef69f0053209ece81eb6d934 Mon Sep 17 00:00:00 2001
From: Jordi Sanfeliu <jordi@fibranet.cat>
Date: Mon, 25 Nov 2013 18:00:28 +0100
Subject: [PATCH] fixed a fail to adequately sanitize request strings of
 malicious JavaScript #30

---
 Changes           |  5 ++++-
 lib/HTTPServer.pm | 16 ++++++++++++++--
 2 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/Changes b/Changes
index 1744f45..b13f36d 100644
--- a/Changes
+++ b/Changes
@@ -33,9 +33,12 @@
 - Fixed the 'int' graph in order to be compatible with Excito B3 product.
 	(thanks to Patrick Fallberg, patrick AT fallberg.net for pointing this out)
 - Fixed to correctly sanitize the input string in the built-in HTTP server
-  which led a number of security vulnerabilities. [#30]
+  which led into a number of security vulnerabilities. [#30]
 - Fixed the lack of minimum definition in some data sources of 'bind' graph.
 	(thanks to Andreas Itzchak Rehberg, izzy AT qumran.org for pointing this out)
+- Fixed a fail to adequately sanitize request strings of malicious JavaScript.
+  [#30]
+	(thanks to Jacob Amey, jamey AT securityinspection.com for pointing this out)
 - Small fixes and typos.
 
 
diff --git a/lib/HTTPServer.pm b/lib/HTTPServer.pm
index 031dba5..3eb303b 100644
--- a/lib/HTTPServer.pm
+++ b/lib/HTTPServer.pm
@@ -153,6 +153,18 @@ sub handle_request {
 	return if fork();	# parent returns
 
 	my $url = $cgi->path_info();
+	my $url_disarmed = $url;
+
+	# this should disarm all XSS and Cookie Injection attempts
+	$url_disarmed =~ s/\&/&amp;/g;
+	$url_disarmed =~ s/\</&lt;/g;
+	$url_disarmed =~ s/\>/&gt;/g;
+	$url_disarmed =~ s/\"/&quot;/g;
+	$url_disarmed =~ s/\'/&#x27;/g;
+	$url_disarmed =~ s/\(/&#x28;/g;
+	$url_disarmed =~ s/\)/&#x29;/g;
+	$url_disarmed =~ s/\//&#x2F;/g;
+
 	$0 = "monitorix-httpd";	# change process' name
 
 	# check if the IP address is allowed to connect
@@ -166,7 +178,7 @@ sub handle_request {
 		print "<title>403 Forbidden</title>\r\n";
 		print "</head><body>\r\n";
 		print "<h1>Forbidden</h1>\r\n";
-		print "<p>You don't have permission to access $url\r\n";
+		print "<p>You don't have permission to access $url_disarmed\r\n";
 		print "on this server.</p>\r\n";
 		print "<hr>\r\n";
 		print "<address>Monitorix HTTP Server listening at $host Port $port</address>\r\n";
@@ -242,7 +254,7 @@ sub handle_request {
 		print "<title>404 Not Found</title>\r\n";
 		print "</head><body>\r\n";
 		print "<h1>Not Found</h1>\r\n";
-		print "The requested URL $url was not found on this server.<p>\r\n";
+		print "The requested URL $url_disarmed was not found on this server.<p>\r\n";
 		print "<hr>\r\n";
 		print "<address>Monitorix HTTP Server listening at $host Port $port</address>\r\n";
 		print "</body></html>\r\n";