[Openvas-discuss] gsad: Validating host and password fields when creating slaves

Tim Brown timb at openvas.org
Sun Mar 6 21:43:29 CET 2011


On Saturday 05 March 2011 11:31:27 Stefan Schwarz wrote:
> Hi,
> 
> after having problems with slave-settings i discovered following
> problems with validating.
> 
> Host-entries shouldn't be restricted to IP-addresses. At least "-"
> should also be a valid char.
> 
> Passwords shouldn't be validated not at all. Any chars should be allowed.

There's a fine line between not restricting peoples ability to use whatever 
password they want and accepting input which may turn out to cause other types 
of security flaw (see for example the recent command injection vulnerability).  
I'm all for loosening the controls but we must do so in a fashion that ensures 
new weaknesses are not introduced.  I believe your problems stem from a change 
to tighten the accepted character sets in response to that command injection 
vulnerability.  I'd want to take a look at where those values are used and in 
what context before any significant changes are approved.

Tim
-- 
Tim Brown
<mailto:timb at openvas.org>
<http://www.openvas.org/>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.wald.intevation.org/pipermail/openvas-discuss/attachments/20110306/4f85cdc6/attachment.asc>


More information about the Openvas-discuss mailing list