Checkmk werks security November 2014

checkmk-werks-sec@lists.checkmk.com

1 participants
3 discussions

Check_MK Werk 1069: Replaced insecure auth.secret mechanism

by Lars Michelsen

ID: 1069 Title: Replaced insecure auth.secret mechanism Component: Multisite Level: 2 Class: Security Fix Version: 1.2.5i7 We replaced a insecure mechanism of generating the auth.secret which is used during construction of the authentication cookies when a user logs into the Check_MK Web GUI to make the authentication cookie only valid for an individual site or a group of sites connected in a distributed setup. What you have to know about: When the first user accesses the Web GUI after the update to this version, all currently valid auth cookies of all users will be invalidated. As a result all users will need to login again. In distributed setups you will also need to do a replication from the master site (which generated a new secret) to all slave sites (which generated another secret themselfs). The replication will synchronize the new secret of the master to all slaves which should make the transparent authentication between all sites work again.

9 years, 6 months

Check_MK Werk 1499: Fixed XSS injections in different places

by Lars Michelsen

ID: 1499 Title: Fixed XSS injections in different places Component: Multisite Level: 1 Class: Security Fix Version: 1.2.5i7 Fixed different XSS injections in the Check_MK multisite code where an authenticated user could inject custom script code to be executed during page rendering.

9 years, 6 months

Check_MK Werk 1500: Preventing livestatus injections in different places

by Lars Michelsen

ID: 1500 Title: Preventing livestatus injections in different places Component: Multisite Level: 2 Class: Security Fix Version: 1.2.5i7 In some places strings provided by the users, e.g. by filling values into a form, are used to construct livestatus queries. This is, for example, done when filtering views or executing commands. Previous versions were directly using the strings provided by the user without escaping or filtering characters which could lead into some trouble. This has been fixed now. The strings provided by the user are now filtered before using them in livestatus queries. For the moment the only implemented action is to remove all newline (\n) characters from the values to prevent injections of non intended livestatus queries / commands.

9 years, 6 months

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

Checkmk werks security November 2014