[Openvas-devel] OMP always returning OK 201 Success

NopSec info at nopsec.com
Thu Jan 6 20:14:10 CET 2011

On 01/06/2011 04:14 AM, Matthew Mundell wrote:
>> When trying to create a new config with an embedded get_configs response
>> element, we get a status 201 OK success message, but the config is not
>> created correctly. We noticed that it works with smaller configs (i.e.
>> only 1 family), but the config is not created correctly when importing a
>> larger config even though OMP returns success.
>> Is there a way to determine if OMP encounter an error because now it
>> only returns a status 201 OK success message even if it errors out.
> It should always return an error status if there was an error.  Could you
> give a bit more detail of the situation?  Maybe send an example of the OMP
> command?  The Manager log may give some clue of what went wrong.
> --
> Greenbone Networks GmbH
> Neuer Graben 17, 49074 Osnabrueck, Germany | AG Osnabrueck, HR B 202460
> Executive Directors: Lukas Grunwald, Dr. Jan-Oliver Wagner
Thanks Matthew for the reply.

I am actually referring to a bug that has already been posted. I paste
it below because it has all the details. In a nutshell OMP does not
throw an error if a preference name does not match a valid one. In other
words it does not validate the user inputs. Could this be also
considered a security vulnerability?



Bugs item #1906, was opened at 2010-12-21 12:05
Status: Open
Priority: 3
Submitted By: Kelvin Sam (taopok)
Assigned to: Nobody (None)
Summary: Wrong status returned by OMP for unsuccessful updates 
Architecture: None
Resolution: None
Severity: normal
Version: v3.0.2
Component: openvas-manager
Operating System: All
Product: OpenVAS
Hardware: None

Initial Comment:
OMP returns <status="200" status_text="OK"> even if updates were not successful. 

Faced this problem with modify_config command. Not sure whether it affects others but assuming so. 

Example (Incomplete Preference named passed in, correct preference name should be "Services[entry]:Network read/write 
timeout :"
omp -X '<modify_config config_id="blahblahblah"><preference><nvt 
oid=""/><name>Services[entry]:Network read/write 

<modify_config_response status="200" status_text="OK"></modify_config_response>

OMP should reply with an error status if the preference name does not match that of a valid one to keep users informed 
correctly instead of misleading them that it's working..

More information about the Openvas-devel mailing list