[icinga-checkins] icinga.org: icinga-core/mfriedrich/core: statusmap.cgi: fixed XSS vulnerability #1281

git at icinga.org git at icinga.org
Tue Mar 29 10:45:37 CEST 2011


Module: icinga-core
Branch: mfriedrich/core
Commit: 795d4ca742ec8895424bb3e45e77dd6c833b6416
URL:    https://git.icinga.org/?p=icinga-core.git;a=commit;h=795d4ca742ec8895424bb3e45e77dd6c833b6416

Author: Ricardo Bartels <ricardo at bitchbrothers.com>
Date:   Thu Mar 10 22:43:59 2011 +0100

statusmap.cgi: fixed XSS vulnerability #1281

fixes: #1281

---

 Changelog       |    1 +
 cgi/statusmap.c |    2 +-
 2 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/Changelog b/Changelog
index 83a7613..9f86011 100644
--- a/Changelog
+++ b/Changelog
@@ -8,6 +8,7 @@ FIXES
 * core: fix flexible downtime on service hard state change doesn't get triggered/activated #1128
 
 * classic ui: fixed csv export link to make it XSS save (IE) #1275
+* classic ui: statusmap.cgi: fixed XSS vulnerability #1281
 
 
 1.3.0 - 16/02/2011
diff --git a/cgi/statusmap.c b/cgi/statusmap.c
index 9bf4257..57aed8d 100644
--- a/cgi/statusmap.c
+++ b/cgi/statusmap.c
@@ -2244,7 +2244,7 @@ void print_layer_url(int get_method){
 
 	for(temp_layer=layer_list;temp_layer!=NULL;temp_layer=temp_layer->next){
 		if(get_method==TRUE)
-			printf("&layer=%s",temp_layer->layer_name);
+			printf("&layer=%s",escape_string(temp_layer->layer_name));
 		else
 			printf("<input type='hidden' name='layer' value='%s'>\n",escape_string(temp_layer->layer_name));
 	        }





More information about the icinga-checkins mailing list