[Openvas-discuss] gsad: Validating host and password fields when creating slaves
Stefan.Schwarz at unibw.de
Mon Mar 7 10:31:36 CET 2011
Am 06.03.2011 21:43, schrieb Tim Brown:
> On Saturday 05 March 2011 11:31:27 Stefan Schwarz wrote:
>> after having problems with slave-settings i discovered following
>> problems with validating.
>> Host-entries shouldn't be restricted to IP-addresses. At least "-"
>> should also be a valid char.
>> Passwords shouldn't be validated not at all. Any chars should be allowed.
> There's a fine line between not restricting peoples ability to use whatever
> password they want and accepting input which may turn out to cause other types
> of security flaw (see for example the recent command injection vulnerability).
> I'm all for loosening the controls but we must do so in a fashion that ensures
> new weaknesses are not introduced. I believe your problems stem from a change
> to tighten the accepted character sets in response to that command injection
> vulnerability. I'd want to take a look at where those values are used and in
> what context before any significant changes are approved.
So the focus should be on a correct application behavior with password
fields (e.g. SQL-safe handling) rather than restricting to a very
limited set of chars. We authenticate against LDAP and our central
password policy is very strict by enforcing special chars. At least
error messages should indicate why an input was rejected.
At a minimum the application should provide a consistent behavior. So
gsad allows passwords for creating credentials, but rejects same
passwords when creating slave-entries.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 6299 bytes
Desc: S/MIME Cryptographic Signature
More information about the Openvas-discuss