OpenVAS Change Request #4: Remove plugin upload featureStatus: Voted +4. Done. Feature is no longer present in OpenVAS 2.0.
To reduce code base.
To avoid the risk of security problems.
This feature was introduced in Nessus version 1.1.11 according to openvas-server/CHANGES.
Uploaded script are a potential source of security problems. They are executed regardless of the the signature policy and for example can include and execute .inc files even if they have a invalid signature.
Apart from this, the feature seems not really required in practice. This assumption is supported by the fact that OpenVAS-Client (and thus Nessus-Client) did not implement a feature to upload plugins.
- Clients will not be able anymore to use the protocol command "ATTACHED_PLUGIN" with the OpenVAS server and will receive a protocol error when trying so.
- Directories $prefix/var/openvas/users/
/plugins/ will not be created via "openvas-add-user". Existing ones are not considered anymore and can be removed.
- The setting "admin_user", "plugin_upload" and "plugin_upload_suffixes" in openvasd.conf will not be considered anymore and can be removed.
- Undocumented NTP protocol command HUP_FATHER will not be available anymore.
- Those users that were configured as admin via "admin_user" will not be able anymore to override max_checks and max_hosts.
Design and Implementation
- While keeping NTP11 protocol: Alway deny upon a ATTACHED_PLUGIN command.
- After protocol upgrade: Remove module openvas-server/openvasd/pluginupload.c|h and its use.
- Remove handling of configuration parameters "plugin_upload" and "plugin_upload_suffixes" in module openvas-server/openvasd/preferences.c and openvas-server/openvasd/ntp_11.c.
- After protocol upgrade: NTP protocol keywords "ATTACHED_PLUGIN" should be removed from openvas-server/openvasd/ntp_11.c and openvas-server/doc/ntp/ntp_extensions.txt.
- 2008-02-14 Jan-Oliver Wagner <email@example.com>:
- 2008-02-23 Jan-Oliver Wagner <firstname.lastname@example.org>:
Updated status with result of voting.
- 2008-05-09 Jan-Oliver Wagner <email@example.com>:
Updated status, effects and implementation.
- 2008-10-21 Michael Wiegand <firstname.lastname@example.org>:
- 2008-12-29 Michael Wiegand <email@example.com>: