[Openvas-discuss] gsad: Validating host and password fields when creating slaves
timb at openvas.org
Sun Mar 6 21:43:29 CET 2011
On Saturday 05 March 2011 11:31:27 Stefan Schwarz wrote:
> after having problems with slave-settings i discovered following
> problems with validating.
> Host-entries shouldn't be restricted to IP-addresses. At least "-"
> should also be a valid char.
> Passwords shouldn't be validated not at all. Any chars should be allowed.
There's a fine line between not restricting peoples ability to use whatever
password they want and accepting input which may turn out to cause other types
of security flaw (see for example the recent command injection vulnerability).
I'm all for loosening the controls but we must do so in a fashion that ensures
new weaknesses are not introduced. I believe your problems stem from a change
to tighten the accepted character sets in response to that command injection
vulnerability. I'd want to take a look at where those values are used and in
what context before any significant changes are approved.
<mailto:timb at openvas.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 836 bytes
Desc: This is a digitally signed message part.
Url : http://lists.wald.intevation.org/pipermail/openvas-discuss/attachments/20110306/4f85cdc6/attachment.pgp
More information about the Openvas-discuss