external script, nasty characters & argument injection

ConSol-Monitoring / snclient

SNClient+ - Cross platform monitoring agent

MIT License

50 stars 8 forks source link

external script, nasty characters & argument injection #158

Open FranckSallet opened 2 weeks ago

FranckSallet commented 2 weeks ago

hello

i defined a command in "[/settings/external scripts/scripts]" section that uses a binary check-ping.exe

check_ping = bin/check-ping.exe /host '$ARG1$'

I set the parameter "allow nasty characters" to false for in the category "[/settings/external scripts]"

but i can pass this kind of command:

./check_nrpe -H X.X.X.X -c check_ping -a "google.fr' || echo coucou ||'''"
coucou

Can you check if the option "allow nasty characters" is fonctionnal for external script ?

Regards

sni commented 2 weeks ago

actually the nrpe server uses it's own settings for those things, ex.:

[/settings/NRPE/server]
allow nasty characters = false
allow arguments = true

then it works as expected.

/usr/lib/nagios/plugins/check_nrpe -H localhost -c check_ping -a "google.fr' || echo coucou ||'''"
Exception processing request: Request contained illegal characters (check the allow nasty characters option).

So check your nrpe section to see what's configured there. Right now the settings from [/settings/external scripts/scripts] are not used for nrpe.

FranckSallet commented 1 week ago

thanks for the reply, it works.

so in what context does the "allow nasty characters" work in the "[/settings/external scripts/scripts]" section ?

Thanks

sni commented 1 week ago

right now probably not at all. But might be a good idea to use them together with the settings from the NRPE/Web section.