[Openvas-discuss] gsad: Validating host and password fields when creating slaves

Stefan Schwarz Stefan.Schwarz at unibw.de
Mon Mar 7 10:31:36 CET 2011


Am 06.03.2011 21:43, schrieb Tim Brown:
> On Saturday 05 March 2011 11:31:27 Stefan Schwarz wrote:
>> Hi,
>>
>> after having problems with slave-settings i discovered following
>> problems with validating.
>>
>> Host-entries shouldn't be restricted to IP-addresses. At least "-"
>> should also be a valid char.
>>
>> Passwords shouldn't be validated not at all. Any chars should be allowed.
>
> There's a fine line between not restricting peoples ability to use whatever
> password they want and accepting input which may turn out to cause other types
> of security flaw (see for example the recent command injection vulnerability).
> I'm all for loosening the controls but we must do so in a fashion that ensures
> new weaknesses are not introduced.  I believe your problems stem from a change
> to tighten the accepted character sets in response to that command injection
> vulnerability.  I'd want to take a look at where those values are used and in
> what context before any significant changes are approved.
>
> Tim
So the focus should be on a correct application behavior with password 
fields (e.g. SQL-safe handling) rather than restricting to a very 
limited set of chars. We authenticate against LDAP and our central 
password policy is very strict by enforcing special chars. At least 
error messages should indicate why an input was rejected.

At a minimum the application should provide a consistent behavior. So 
gsad allows passwords for creating credentials, but rejects same 
passwords when creating slave-entries.

	Stefan

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6299 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.wald.intevation.org/pipermail/openvas-discuss/attachments/20110307/4b0142a2/attachment.p7s>


More information about the Openvas-discuss mailing list