ID: 1069
Title: Replaced insecure auth.secret mechanism
Component: Multisite
Level: 2
Class: Security Fix
Version: 1.2.5i7
We replaced a insecure mechanism of generating the auth.secret which
is used during construction of the authentication cookies when a user
logs into the Check_MK Web GUI to make the authentication cookie only
valid for an individual site or a group of sites connected in a
distributed setup.
What you have to know about:
When the first user accesses the Web GUI after the update to this version,
all currently valid auth cookies of all users will be invalidated. As a
result all users will need to login again.
In distributed setups you will also need to do a replication from the
master site (which generated a new secret) to all slave sites (which
generated another secret themselfs). The replication will synchronize
the new secret of the master to all slaves which should make the
transparent authentication between all sites work again.
ID: 1499
Title: Fixed XSS injections in different places
Component: Multisite
Level: 1
Class: Security Fix
Version: 1.2.5i7
Fixed different XSS injections in the Check_MK multisite code
where an authenticated user could inject custom script code
to be executed during page rendering.
ID: 1500
Title: Preventing livestatus injections in different places
Component: Multisite
Level: 2
Class: Security Fix
Version: 1.2.5i7
In some places strings provided by the users, e.g. by filling values into a form,
are used to construct livestatus queries. This is, for example, done when filtering
views or executing commands.
Previous versions were directly using the strings provided by the user without
escaping or filtering characters which could lead into some trouble. This has
been fixed now. The strings provided by the user are now filtered before using
them in livestatus queries.
For the moment the only implemented action is to remove all newline (\n) characters
from the values to prevent injections of non intended livestatus queries / commands.