[Openvas-devel] OMP always returning OK 201 Success
info at nopsec.com
Thu Jan 6 20:14:10 CET 2011
On 01/06/2011 04:14 AM, Matthew Mundell wrote:
>> When trying to create a new config with an embedded get_configs response
>> element, we get a status 201 OK success message, but the config is not
>> created correctly. We noticed that it works with smaller configs (i.e.
>> only 1 family), but the config is not created correctly when importing a
>> larger config even though OMP returns success.
>> Is there a way to determine if OMP encounter an error because now it
>> only returns a status 201 OK success message even if it errors out.
> It should always return an error status if there was an error. Could you
> give a bit more detail of the situation? Maybe send an example of the OMP
> command? The Manager log may give some clue of what went wrong.
> Greenbone Networks GmbH
> Neuer Graben 17, 49074 Osnabrueck, Germany | AG Osnabrueck, HR B 202460
> Executive Directors: Lukas Grunwald, Dr. Jan-Oliver Wagner
Thanks Matthew for the reply.
I am actually referring to a bug that has already been posted. I paste
it below because it has all the details. In a nutshell OMP does not
throw an error if a preference name does not match a valid one. In other
words it does not validate the user inputs. Could this be also
considered a security vulnerability?
Bugs item #1906, was opened at 2010-12-21 12:05
Submitted By: Kelvin Sam (taopok)
Assigned to: Nobody (None)
Summary: Wrong status returned by OMP for unsuccessful updates
Operating System: All
OMP returns <status="200" status_text="OK"> even if updates were not successful.
Faced this problem with modify_config command. Not sure whether it affects others but assuming so.
Example (Incomplete Preference named passed in, correct preference name should be "Services[entry]:Network read/write
omp -X '<modify_config config_id="blahblahblah"><preference><nvt
<modify_config_response status="200" status_text="OK"></modify_config_response>
OMP should reply with an error status if the preference name does not match that of a valid one to keep users informed
correctly instead of misleading them that it's working..
More information about the Openvas-devel