/ 
App-Netdisco-2.031009
⭐ Starred 676
/ App::Netdisco::Manual::Troubleshooting
Security Advisories (10)
CVE-2022-24785 (2022-04-04)

Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.

CVE-2020-11022 (2020-04-29)

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

CVE-2020-11023 (2020-04-29)

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

CVE-2019-11358 (2019-04-20)

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.

CVE-2015-9251 (2018-01-18)

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

CVE-2011-4969 (2013-03-08)

Cross-site scripting (XSS) vulnerability in jQuery before 1.6.3, when using location.hash to select elements, allows remote attackers to inject arbitrary web script or HTML via a crafted tag.

CVE-2012-6708 (2018-01-18)

jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.

CVE-2020-7656 (2020-05-19)

jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed.

CVE-2019-5428

Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as _proto_, constructor and prototype. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.

CVE-2014-6071 (2018-01-16)

jQuery 1.4.2 allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to use of the text method inside after.

NAME

App::Netdisco::Manual::Troubleshooting - Tips and Tricks for Troubleshooting

Understanding Nodes and Devices

The two basic components in Netdisco's world are Nodes and Devices. Devices are your network hardware, such as routers, switches, and firewalls. Nodes are the end-stations connected to Devices, such as workstations, servers, printers, and telephones.

Devices respond to SNMP, and therefore can report useful information about themselves such as interfaces, operating system, IP addresses, as well as knowledge of other systems via MAC address and ARP tables. Devices are actively contacted by Netdisco during a discover (and other polling jobs such as macsuck, arpnip).

Nodes on the other hand are passive as far as Netdisco is concerned. The only job which contacts a Node is nbtstat, which makes NetBIOS queries. Nodes are learned about via the MAC and ARP tables on Devices. Sometimes you might run an SNMP agent on a server (Node), and in this case Netdisco will treat it as a Device unless you prevent this using the discover_no or discover_only configuration.

Netdisco discovers Devices using "neighbor protocols" such as CDP and LLDP. We assume your Devices are running these protocols and learning about their connections to each other. If they aren't, you'll need to configure manual topology within the web interface (or simply have standalone Devices).

If you don't see links between Devices in Netdisco, it's either because they're not running a neighbor protocol, or for some reason not reporting the relationships to Netdisco. Use the show command to troubleshoot this:

~netdisco/bin/netdisco-do show -d 192.0.2.1 -e c_id

Run a netdisco-do Task with Debugging

The netdisco-do command has several debug flags which will show what's going on internally. Usually you always add -D for general Netdisco debugging, then -I for SNMP::Info logging and -Q for SQL tracing. For example:

~netdisco/bin/netdisco-do discover -d 192.0.2.1 -DIQ

You will see that SNMPv2 community strings are hidden by default, to make the output safe for sending to Netdisco developers. To show the community string, set the SHOW_COMMUNITY environment variable:

SHOW_COMMUNITY=1 ~netdisco/bin/netdisco-do discover -d 192.0.2.1 -DIQ

Dump an SNMP object for a Device

This is useful when trying to work out why some information isn't displaying correctly (or at all) in Netdisco. It may be that the SNMP response isn't understood. Netdisco can dump any leaf or table, by name:

~netdisco/bin/netdisco-do show -d 192.0.2.1 -e interfaces
~netdisco/bin/netdisco-do show -d 192.0.2.1 -e Layer2::HP::interfaces

You can combine this with SNMP::Info debugging, shown above (-I).

Interactive SQL terminal on the Netdisco Database

Start an interactive terminal with the Netdisco PostgreSQL database. If you pass an SQL statement in the "-e" option then it will be executed.

~netdisco/bin/netdisco-do psql
~netdisco/bin/netdisco-do psql -e 'SELECT ip, dns FROM device'
~netdisco/bin/netdisco-do psql -e 'COPY (SELECT ip, dns FROM device) TO STDOUT WITH CSV HEADER'

The last example above is useful for sending data to Netdisco developers, as it's more compact and readable than the standard tabular output (second example).

Database Schema Redeployment

The database schema can be fully redeployed (even over an existing installation), in a safe way, using the following command:

~netdisco/bin/netdisco-db-deploy --redeploy-all

Debug HTTP Requests and Configuration

You can see HTTP Headers received by Netdisco, and other information such as how it's parsing the config file, by enabling the Dancer debug plugin. First download the plugin:

~netdisco/bin/localenv cpanm --notest Dancer::Debug

Then run the web daemon with the environment variable to enable the feature:

DANCER_DEBUG=1 ~/bin/netdisco-web restart

A side panel appears in the web page with debug information. Be sure to turn this off when you're done (stop and start without the environment variable) otherwise secrets could be leaked to end users.