[hobbit] RE: Hobbit Security (Cross-Site Scripting)

Stewart L stewartl42 at gmail.com
Fri Jun 19 19:07:00 CEST 2009


I found a bunch of the same stuff (and more).  Looks like most of it is
duplicates on the same pages/attributes.

For Example, on hobbit-enadis.sh,  ippattern is not validated.  This shows
up for me as multiple issues, but it's one root cause.

What you have to decide is how much of a risk does this really pose.

Any of the pages that allow you to change anything should be password
protected and only trusted users should be able to access.  There is not a
SQL server behind the thing, so who cares about SQL injection.  They are not
going to delete your data.

Stewart





On Fri, Jun 19, 2009 at 11:18 AM, Stewart L <stewartl42 at gmail.com> wrote:

> It's usually a bit more complicated that just quoting the user input.   I'm
> actually scanning a fresh install with IBM Appscan Enterprise when you
> mentioned it... :)
>
>
>
> On Fri, Jun 19, 2009 at 11:09 AM, David Cecchino <
> david.cecchino at datacure.com> wrote:
>
>>  HP Webinspect scans of xymon show it is vulnerable to XSS , is there  a
>> way of putting quotes around the url variables/strings?
>>
>>
>>
>>
>>
>
>
>
>  --
> Stewart
> --
> An infinite number of mathematicians walk into a bar. The first one orders
> a beer. The second orders half a beer. The third, a quarter of a beer. The
> bartender says "You're all idiots", and pours two beers.
>



-- 
Stewart
--
An infinite number of mathematicians walk into a bar. The first one orders a
beer. The second orders half a beer. The third, a quarter of a beer. The
bartender says "You're all idiots", and pours two beers.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20090619/5b60cae5/attachment.html>


More information about the Xymon mailing list