OpenVAS - OpenVAS - Open Vulnerability Assessment System Community Site

OpenVAS Change Request #4: Remove plugin upload feature

Status: Voted +4. Done. Feature is no longer present in OpenVAS 2.0.

Purpose

To reduce code base.

To avoid the risk of security problems.

References

none.

Rationale

This feature was introduced in Nessus version 1.1.11 according to openvas-server/CHANGES.

Uploaded script are a potential source of security problems. They are executed regardless of the the signature policy and for example can include and execute .inc files even if they have a invalid signature.

Apart from this, the feature seems not really required in practice. This assumption is supported by the fact that OpenVAS-Client (and thus Nessus-Client) did not implement a feature to upload plugins.

Effects

Clients will not be able anymore to use the protocol command "ATTACHED_PLUGIN" with the OpenVAS server and will receive a protocol error when trying so.
Directories $prefix/var/openvas/users//plugins/ will not be created via "openvas-add-user". Existing ones are not considered anymore and can be removed.
The setting "admin_user", "plugin_upload" and "plugin_upload_suffixes" in openvasd.conf will not be considered anymore and can be removed.
Undocumented NTP protocol command HUP_FATHER will not be available anymore.
Those users that were configured as admin via "admin_user" will not be able anymore to override max_checks and max_hosts.

Design and Implementation

While keeping NTP11 protocol: Alway deny upon a ATTACHED_PLUGIN command.
After protocol upgrade: Remove module openvas-server/openvasd/pluginupload.c|h and its use.
Remove handling of configuration parameters "plugin_upload" and "plugin_upload_suffixes" in module openvas-server/openvasd/preferences.c and openvas-server/openvasd/ntp_11.c.
After protocol upgrade: NTP protocol keywords "ATTACHED_PLUGIN" should be removed from openvas-server/openvasd/ntp_11.c and openvas-server/doc/ntp/ntp_extensions.txt.

History

2008-02-14 Jan-Oliver Wagner <jan-oliver.wagner@intevation.de>:
Initial text.
2008-02-23 Jan-Oliver Wagner <jan-oliver.wagner@intevation.de>:
Updated status with result of voting.
2008-05-09 Jan-Oliver Wagner <jan-oliver.wagner@intevation.de>:
Updated status, effects and implementation.
2008-10-21 Michael Wiegand <michael.wiegand@intevation.de>:
Updated status.
2008-12-29 Michael Wiegand <michaek.wiegabd@intevation.de>:
Updated status.

About

Information/Howtos

Support

Developers Corner

Download

NVT Lookup by OID