Hello. My syslog-ng (version 3.4.8) logs some messages into the PostgreSQL database. I am going to setup a web page which will display those logs. I submitted log entry "alert('123')" surrounded by "script" html tags and displayed content of the database table on a web page. Javascript alerted "123" which means it is a XSS vulnerability. I am not in control of incoming log messages and they can containt anything, so I have no trust to them. Is there anything I can do from the syslog-ng side of things to close this XSS vulnerability or I have to deal with it in my Web application?
"Nikolay" == Nikolay P <nikolay.p@cos.flag.org> writes:
Nikolay> Is there anything I can do from the syslog-ng side of Nikolay> things to close this XSS vulnerability or I have to deal Nikolay> with it in my Web application? You can apply rewrite rules that replace "<" with "<", for example, but that's more a workaround than a solution. It is the web app that you will have to teach to sanitize its input, if you want to avoid such vulnerabilities. -- |8]
participants (2)
-
Gergely Nagy
-
Nikolay P