[Xymon] Xymon notifcations disappear due to base64 encoding
Henrik Størner
henrik at hswn.dk
Wed Feb 11 22:25:12 CET 2015
Den 07-02-2015 kl. 07:43 skrev J.C. Cleaver:
>> Hopefully Xymon 5 brings us encrypted and authenticated transport
>> between the client and server as that will help prevent this type of
>> attack, as well as protect your sensitive info in transit :-)
> This is really the solution -- end-to-end encoding using key trust; right
> now the most client security that you have is IP-based. But even if your
> transport mechanism is over an stunnel, you're really still at the mercy
> of the original source. A local user could execute a script placing a
> specially crafted message in $0, which would show up in the 'ps' output
> and might survive <PRE> wrapping in the 'procs' test to cause a browser
> problem, for example.
Xymon really isn't designed for a "hostile" environment. You can also
trigger all sorts of amusing cross-site scripting on web status pages,
since the raw HTML returned from the web server is included as-is in the
status page.
But eliminating that would also remove the very nice ability to provide
an intelligent status page from your web application ...
Regards,
Henrik
More information about the Xymon
mailing list