[Openvas-discuss] gsad: Validating host and password fields when creating slaves

Matthew Mundell matthew.mundell at greenbone.net
Mon Mar 14 14:07:08 CET 2011


> On Saturday 05 March 2011 11:31:27 Stefan Schwarz wrote:
> > Hi,
> >
> > after having problems with slave-settings i discovered following
> > problems with validating.
> >
> > Host-entries shouldn't be restricted to IP-addresses. At least "-"
> > should also be a valid char.
> >
> > Passwords shouldn't be validated not at all. Any chars should be allowed.
>
> There's a fine line between not restricting peoples ability to use whatever
> password they want and accepting input which may turn out to cause other types
> of security flaw (see for example the recent command injection vulnerability).
> I'm all for loosening the controls but we must do so in a fashion that ensures
> new weaknesses are not introduced.  I believe your problems stem from a change
> to tighten the accepted character sets in response to that command injection
> vulnerability.  I'd want to take a look at where those values are used and in
> what context before any significant changes are approved.

This password has been like that since at least r6042.  In the GSA we made
everything very tight at first and have been loosening things as people run
into problems.

All restrictions on the LSC Credential password were dropped on 2011-01-18.

I think it makes sense to do the same for this slave and user password.
The Manager and Administrator already allow any password in the associated
OMP and OAP commands.

So I'd like to lift the restriction as time permits.  Is this OK Tim?
Shall I send you a patch to check?  Or I can tell you when it's in SVN.

--
Greenbone Networks GmbH
Neuer Graben 17, 49074 Osnabrueck, Germany | AG Osnabrueck, HR B 202460
Executive Directors: Lukas Grunwald, Dr. Jan-Oliver Wagner



More information about the Openvas-discuss mailing list