New Question
 
 
PRTG Network Monitor

Intuitive to Use.
Easy to manage.

200.000 administrators have chosen PRTG to monitor their network. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free PRTG
Download >>

 

What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general. You are invited to get involved by asking and answering questions!

Learn more

 

Top Tags


View all Tags


How secure is it to access the PRTG web interface with Firefox?

Votes:

0

Your Vote:

Up

Down

I use the Mozilla Firefox web browser to connect to the PRTG web GUI. Is it secure to access PRTG with Firefox? Are there cross-site scripting vulnerabilities which make XSS exploits possible?

firefox prtg reghack registry security xss

Created on Jun 30, 2016 3:56:31 PM by  Gerald Schoch [Paessler Support]



1 Reply

Accepted Answer

Votes:

2

Your Vote:

Up

Down

This article applies to PRTG Network Monitor 16.x.25 or later

XSS Exploits in Firefox and PRTG Security

PRTG comes with the highest security standards possible for monitoring tools and we constantly improve and update these standards (just look for "security" in the PRTG version history). PRTG is also well protected against cross-site scripting (XSS) attacks. To eliminate this danger as far as possible, the PRTG web server removes all custom HTML parameters from HTTP requests which could potentially be used for XSS exploits. This XSS filter works on Google Chrome and Internet Explorer but Firefox still does not support the used HTTP header X-XSS-Protection (see Bug 528661 on Bugzilla@Mozilla).

This means that Firefox is potentially vulnerable for XSS exploits. For PRTG these exploits are only possible if you click phishing links that contain malicious code, for example, in emails, and you are currently logged in to PRTG with Firefox. The best protection against XSS vulnerability is: Never click suspicious links anywhere and ensure received emails from PRTG or the Paessler AG are really coming from your PRTG server or the Paessler AG.

For security and performance reasons, we strongly recommend that you always use the latest version of Google Chrome to access the PRTG web interface.

Enhancing Security for PRTG Access with Firefox

If you want to minimize the risk of XSS exploits in Firefox, you can enhance the security with a registry key option for PRTG. This option prevents custom HTML parameters from being loaded in PRTG. Note that if you set this option, the content of error pages in PRTG will no longer be displayed correctly. Please also be aware that Firefox will not be completely safe against XSS even then, so always watch out for phishing attempts!

Steps to Take

Caution: Please back up your system before manipulating the Windows registry!

  1. Open the registry editor and navigate to the following subkey:
    1. On a 64-bit Windows system, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Paessler\PRTG Network Monitor\Server\Core
    2. On a 32-bit Windows system, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Paessler\PRTG Network Monitor\Server\Core
  2. Create a new DWORD:
    1. In the current subkey, right-click to open the context menu.
    2. Choose New | DWORD Value
    3. Name the new value ForceReplaceParams
  3. Set the value of ForceReplaceParams to 1:
    1. Right-click the DWORD ForceReplaceParams
    2. Select Modify…
    3. In the value field, enter 1
    4. Conform with Ok
  4. Restart the PRTG core server to activate the settings.

This registry key option removes custom HTML parameters when accessing the PRTG web interface and reduces the risks of XSS attacks. PRTG error pages will not be displayed correctly with this option enabled. Set the DWORD value to 0 to revert to default.

Created on Jun 30, 2016 3:59:22 PM by  Gerald Schoch [Paessler Support]

Last change on Jul 1, 2016 3:25:51 PM by  Gerald Schoch [Paessler Support]



Please log in or register to enter your reply.


Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.