[Openvas-devel] OMP always returning OK 201 Success

Matthew Mundell matthew.mundell at greenbone.net
Fri Jan 7 09:44:01 CET 2011


> I am actually referring to a bug that has already been posted. I paste
> it below because it has all the details. In a nutshell OMP does not
> throw an error if a preference name does not match a valid one. In other

Oh I see, the modify_config issue.  To repeat for the list: It's working as
I expect.  It's just that the Manager lets you modify any preference.  So
if you make a typo in the name it adds a new preference with that name.

The up side of this is that you can modify a preference before it arrives
in the feed.

Perhaps it would make more sense for the Manager to allow the modification
only if the preference exists.

> words it does not validate the user inputs. Could this be also
> considered a security vulnerability?

Well, you have to authenticate before you can do this, and at worst you can
fill the database with random preferences.

--
Greenbone Networks GmbH
Neuer Graben 17, 49074 Osnabrueck, Germany | AG Osnabrueck, HR B 202460
Executive Directors: Lukas Grunwald, Dr. Jan-Oliver Wagner


More information about the Openvas-devel mailing list