Den 07-02-2015 kl. 07:43 skrev J.C. Cleaver:
Hopefully Xymon 5 brings us encrypted and authenticated transport between the client and server as that will help prevent this type of attack, as well as protect your sensitive info in transit :-) This is really the solution -- end-to-end encoding using key trust; right now the most client security that you have is IP-based. But even if your transport mechanism is over an stunnel, you're really still at the mercy of the original source. A local user could execute a script placing a specially crafted message in $0, which would show up in the 'ps' output and might survive <PRE> wrapping in the 'procs' test to cause a browser problem, for example.
Xymon really isn't designed for a "hostile" environment. You can also trigger all sorts of amusing cross-site scripting on web status pages, since the raw HTML returned from the web server is included as-is in the status page.
But eliminating that would also remove the very nice ability to provide an intelligent status page from your web application ...
Regards, Henrik