OpenVAS Change Request #4: Remove plugin upload feature
Status: Voted +4. First step (denial of upload) implemented and released with OpenVAS-Server 1.0.1. Completion will happen with next protocol version.Purpose
To reduce code base.
To avoid the risk of security problems.
References
none.
Rationale
This feature was introduced in Nessus version 1.1.11 according to openvas-server/CHANGES.
Uploaded script are a potential source of security problems. They are executed regardless of the the signature policy and for example can include and execute .inc files even if they have a invalid signature.
Apart from this, the feature seems not really required in practice. This assumption is supported by the fact that OpenVAS-Client (and thus Nessus-Client) did not implement a feature to upload plugins.
Effects
- Clients will not be able anymore to use the protocol command "ATTACHED_PLUGIN" with the OpenVAS server and will receive a protocol error when trying so.
- Directories $prefix/var/openvas/users/
/plugins/ will not be created via "openvas-add-user". Existing ones are not considered anymore and can be removed. - The setting "admin_user", "plugin_upload" and "plugin_upload_suffixes" in openvasd.conf will not be considered anymore and can be removed.
- Undocumented NTP protocol command HUP_FATHER will not be available anymore.
- Those users that were configured as admin via "admin_user" will not be able anymore to override max_checks and max_hosts.
Design and Implementation
- While keeping NTP11 protocol: Alway deny upon a ATTACHED_PLUGIN command.
- After protocol upgrade: Remove module openvas-server/openvasd/pluginupload.c|h and its use.
- Remove handling of configuration parameters "plugin_upload" and "plugin_upload_suffixes" in module openvas-server/openvasd/preferences.c and openvas-server/openvasd/ntp_11.c.
- After protocol upgrade: NTP protocol keywords "ATTACHED_PLUGIN" should be removed from openvas-server/openvasd/ntp_11.c and openvas-server/doc/ntp/ntp_extensions.txt.
History
- 2008-02-14 Jan-Oliver Wagner <jan-oliver.wagner@intevation.de>:
Initial text. - 2008-02-23 Jan-Oliver Wagner <jan-oliver.wagner@intevation.de>:
Updated status with result of voting. - 2008-05-09 Jan-Oliver Wagner <jan-oliver.wagner@intevation.de>:
Updated status, effects and implementation.