"Milburn, Shane B" writes:
I'm getting the following error message in trapd.log about an illegal
character in varbinds. What is this
and why am I getting it? How do I fix this?
This message is a feature of the security efix netview released in
response to CERT advisory:
http://www.cert.org/advisories/CA-2001-24.html
Basically, it is keeping you from opening a rather large hole in your
system to a would-be intruder. Without the fix, someone could send
you a sufficiently malformed snmpv1 trap with a varbind chock full of
the right shell metacharacters. If this were passed to an external
script in your environment, it opened the door to the possibility of
an attacker running arbitrary commands in root context (or whatever
user the Netview server is running as).
To address this underlying security problem with S!
NMPv1's
non-authenticated handling of unsolicited traps, NetView does stuff to
all non-alphanumeric characters within traps. By default on the
unix side, it prepends backslashes to all periods it encounters as
well as any characters added to the AdditionalLegalTrapCharacters
environment variable. All other alphanumerics, it indiscriminately
replaces with the _ character.
In the fix notes, Tivoli provides a sed command for removing the \
from the periods. You may have to do this in several scripst.
You should treat trap varbind data as "tainted" and script carefully
just as you would in processing user data submitted via a CGI form on
a web page to prevent an imbedded string of say `rm -rf /*` or in
windows `echo y | deltree c:\winnt` in a varbind from doing something
rather nasty to your installation.
One or more varbinds contained an illegal character.
Sanitized!
version of the command:
perl D:\usr\local\OV\bin\autoPageMail.pl rf212-cs659-b.ra.intel.com
"Cisco_Link_Up Slot/Port=1_2"
From the looks of this, perhaps your name for the Cisco Link Up trap
included a non-alphanumeric.
--
Todd H.
http://www.toddh.net/
Scott Bursik Pepsico Business Solutions Group
scott.bursik@pbsg.com
>From: "Cavazos, David"
>To: "'nv-l@lists.tivoli.com'"
>Subject: [nv-l] Variables changed in 7.1?
>Date: Tue, 19 Feb 2002 13:16:51 -0600
>
>I seem to having a problem with how variables are returned during trap
>processing on 7.1.
>In 6.0.x on the Netview Node Down Trap $2 was being returned as
>host.tgslc.org (just an example).
>But in 7.1 the $2 variable is being returned as host/.tgslc/.org .
>Why did this change? Or am I doing something wrong?
>
>
>Thanks
>David Cavazos (MCSE, MCDBA)
>Database Engineer
>Texas Guaranteed Student Loan Corp.
>david.cavazos@tgslc.org
>
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: nv-l-unsubscribe@lists.tivoli.com
>For additional commands, e-mail: nv-l-help@lists.tivoli.com
>
>*NOTE*
>This is not an Offical Tivoli Support forum. If you need immediate
>assistance from Tivoli please call the IBM Tivoli Software Group
>help line at 1-800-TIVOLI8(848-6548)
>
Chat with friends online, try MSN Messenger: Click Here
|