Checkmk git commits June 2014

checkmk-commits@lists.checkmk.com

6 participants
135 discussions

Check_MK Git: check_mk: FIX livedump: Fix exception in case no contact groups are defined for a service

by Mathias Kettner

Module: check_mk Branch: master Commit: 9f927a69264527384ab62ed89736bf1cc6ccc2d7 URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=9f927a69264527… Author: Mathias Kettner <mk(a)mathias-kettner.de> Date: Tue Jun 24 15:42:32 2014 +0200 FIX livedump: Fix exception in case no contact groups are defined for a service --- .werks/988 | 9 +++++++++ ChangeLog | 3 +++ doc/treasures/livedump/livedump | 3 ++- 3 files changed, 14 insertions(+), 1 deletion(-) diff --git a/.werks/988 b/.werks/988 new file mode 100644 index 0000000..79698b3 --- /dev/null +++ b/.werks/988 @@ -0,0 +1,9 @@ +Title: livedump: Fix exception in case no contact groups are defined for a service +Level: 1 +Component: livestatus +Class: fix +State: unknown +Version: 1.2.5i5 +Date: 1403617324 + + diff --git a/ChangeLog b/ChangeLog index d610c5c..5fb7d96 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,9 @@ Checks & Agents: * 0994 FIX: agent plugin smart: fixed syntax error + Livestatus: + * 0988 FIX: livedump: Fix exception in case no contact groups are defined for a service + 1.2.5i4: Core & Setup: diff --git a/doc/treasures/livedump/livedump b/doc/treasures/livedump/livedump index 337b7c4..8feb977 100755 --- a/doc/treasures/livedump/livedump +++ b/doc/treasures/livedump/livedump @@ -96,7 +96,8 @@ def livedump_config(): encode_row(row) check_commands.add(row["check_command"]) row["contactsstring"] = (",".join(row["contacts"])).encode("utf-8") - row["contact_groups"] = (",".join(row["contact_groups"])).encode("utf-8") + if "contact_groups" in row: + row["contact_groups"] = (",".join(row["contact_groups"])).encode("utf-8") # Dump host config query = \

10 years

Check_MK Git: check_mk: Validate configuration of email addresses in notification plugins

by Mathias Kettner

Module: check_mk Branch: master Commit: 6be9e4e2c4cdd1e724bc4da123434aa064465bdf URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=6be9e4e2c4cdd1… Author: Mathias Kettner <mk(a)mathias-kettner.de> Date: Tue Jun 24 11:23:43 2014 +0200 Validate configuration of email addresses in notification plugins --- web/plugins/wato/notifications.py | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/web/plugins/wato/notifications.py b/web/plugins/wato/notifications.py index 45b525f..3e165b0 100644 --- a/web/plugins/wato/notifications.py +++ b/web/plugins/wato/notifications.py @@ -29,14 +29,14 @@ register_notification_parameters("mail", elements = [ ( "from", TextAscii( - title = _("From: Adress"), + title = _("From: Address"), size = 40, allow_empty = False, ) ), ( "reply_to", TextAscii( - title = _("Reply-To: Adress"), + title = _("Reply-To: Address"), size = 40, allow_empty = False, ) @@ -96,15 +96,15 @@ register_notification_parameters("asciimail", Dictionary( elements = [ ( "from", - TextAscii( - title = _("From: Adress"), + EmailAddress( + title = _("From: Address"), size = 40, allow_empty = False, ) ), ( "reply_to", - TextAscii( - title = _("Reply-To: Adress"), + EmailAddress( + title = _("Reply-To: Address"), size = 40, allow_empty = False, )

10 years

Check_MK Git: check_mk: TextAscii: disallow non-ascii characters

by Mathias Kettner

Module: check_mk Branch: master Commit: 3ddb3e3a71538c9b743bc0f07d6616242f8640c2 URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=3ddb3e3a71538c… Author: Mathias Kettner <mk(a)mathias-kettner.de> Date: Tue Jun 24 11:23:03 2014 +0200 TextAscii: disallow non-ascii characters --- web/htdocs/valuespec.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/web/htdocs/valuespec.py b/web/htdocs/valuespec.py index 31afeab..c3997b5 100644 --- a/web/htdocs/valuespec.py +++ b/web/htdocs/valuespec.py @@ -390,6 +390,10 @@ class TextAscii(ValueSpec): type_name(value)) def validate_value(self, value, varprefix): + try: + unicode(value) + except: + raise MKUserError(varprefix, _("Non-ASCII characters are not allowed here.")) if self._none_is_empty and value == "": raise MKUserError(varprefix, _("An empty value must be represented with None here.")) if not self._allow_empty and value.strip() == "":

10 years

Check_MK Git: check_mk: FIX agent plugin smart: fixed syntax error

by Bernd Stroessenreuther

Module: check_mk Branch: master Commit: 3de6aef906e1f417d47195bc4bd7e1d5e248eba4 URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=3de6aef906e1f4… Author: Bernd Stroessenreuther <bs(a)mathias-kettner.de> Date: Tue Jun 24 09:52:03 2014 +0200 FIX agent plugin smart: fixed syntax error --- .werks/994 | 9 +++++++++ ChangeLog | 3 +++ 2 files changed, 12 insertions(+) diff --git a/.werks/994 b/.werks/994 new file mode 100644 index 0000000..c4e05f1 --- /dev/null +++ b/.werks/994 @@ -0,0 +1,9 @@ +Title: agent plugin smart: fixed syntax error +Level: 1 +Component: checks +Class: fix +State: unknown +Version: 1.2.5i5 +Date: 1403596306 + + diff --git a/ChangeLog b/ChangeLog index ffe4913..d610c5c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,4 +1,7 @@ 1.2.5i5: + Checks & Agents: + * 0994 FIX: agent plugin smart: fixed syntax error + 1.2.5i4: Core & Setup:

10 years

Check_MK Git: check_mk: agent plugin smart: fixed syntax error

by Bernd Stroessenreuther

Module: check_mk Branch: master Commit: d1a1cd4e3f6424145a63d79c4c5fc18e394648cc URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=d1a1cd4e3f6424… Author: Bernd Stroessenreuther <bs(a)mathias-kettner.de> Date: Tue Jun 24 09:45:16 2014 +0200 agent plugin smart: fixed syntax error --- agents/plugins/smart | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/agents/plugins/smart b/agents/plugins/smart index a995367..1a0b8f5 100755 --- a/agents/plugins/smart +++ b/agents/plugins/smart @@ -42,7 +42,7 @@ if which smartctl > /dev/null 2>&1 ; then MODEL=$(smartctl -a $D | grep -i "device model" | sed -e "s/.*:[ ]*//g" -e "s/\ /_/g") fi # Excluded disk models for SAN arrays or certain RAID luns that are also not usable.. - if [ "$MODEL" = "iSCSI_Disk" ] || ["$MODEL" = "LOGICAL_VOLUME" ]; then + if [ "$MODEL" = "iSCSI_Disk" -o "$MODEL" = "LOGICAL_VOLUME" ]; then continue fi

10 years

Check_MK Git: check_mk: FIX check_mk-winperf.cpuusage.php: now displays AVERAGE values instead of MAX

by Andreas Boesl

Module: check_mk Branch: master Commit: c310f35475b4791756bbd1776192841ae0bb1b46 URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=c310f35475b479… Author: Andreas Boesl <ab(a)mathias-kettner.de> Date: Tue Jun 24 08:54:46 2014 +0200 FIX check_mk-winperf.cpuusage.php: now displays AVERAGE values instead of MAX This change makes pnpgraphs with greater timeframes consistent --- .werks/942 | 8 ++++++++ ChangeLog | 1 + pnp-templates/check_mk-winperf.cpuusage.php | 2 +- 3 files changed, 10 insertions(+), 1 deletion(-) diff --git a/.werks/942 b/.werks/942 new file mode 100644 index 0000000..272d7cd --- /dev/null +++ b/.werks/942 @@ -0,0 +1,8 @@ +Title: check_mk-winperf.cpuusage.php: now displays AVERAGE values instead of MAX +Level: 1 +Component: multisite +Version: 1.2.5i4 +Date: 1403592799 +Class: fix + +This change makes pnpgraphs with greater timeframes consistent diff --git a/ChangeLog b/ChangeLog index ddf46eb..c7476e3 100644 --- a/ChangeLog +++ b/ChangeLog @@ -31,6 +31,7 @@ * 0939 FIX: Fixed multisite exception caused by missing explanation text for a AUTODELETE event action * 0822 FIX: Sorting columns in view dashlets is now working again * 0941 FIX: esx_vsphere_hostsystem.cpu_usage: pnpgraph now displays AVERAGE instead of MAX values in all timeframes... + * 0942 FIX: check_mk-winperf.cpuusage.php: now displays AVERAGE values instead of MAX... WATO: * 0984 Fix code injection for logged in users via automation url... diff --git a/pnp-templates/check_mk-winperf.cpuusage.php b/pnp-templates/check_mk-winperf.cpuusage.php index b8d71b9..e9a2cbe 100644 --- a/pnp-templates/check_mk-winperf.cpuusage.php +++ b/pnp-templates/check_mk-winperf.cpuusage.php @@ -26,7 +26,7 @@ $opt[1] = "--vertical-label 'Percent' -l0 -u100 --title \"CPU Utilization of $hostname\" "; -$def[1] = "DEF:usage=$RRDFILE[1]:$DS[1]:MAX "; +$def[1] = "DEF:usage=$RRDFILE[1]:$DS[1]:AVERAGE"; $def[1] .= "AREA:usage#60f020:\"CPU utilization\" "; $def[1] .= "LINE:usage#40d010 ";

10 years

Check_MK Git: check_mk: FIX esx_vsphere_hostsystem.cpu_usage:

by Andreas Boesl

pnpgraph now displays AVERAGE instead of MAX values in all timeframes Message-ID: <53a851fd.WT0H3oW9ID8qPZg/%ab(a)mathias-kettner.de> User-Agent: Heirloom mailx 12.4 7/29/08 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Module: check_mk Branch: master Commit: 69f14ec0133631e6793ab7fe82764c50663c63ee URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=69f14ec0133631… Author: Andreas Boesl <ab(a)mathias-kettner.de> Date: Mon Jun 23 18:04:54 2014 +0200 FIX esx_vsphere_hostsystem.cpu_usage: pnpgraph now displays AVERAGE instead of MAX values in all timeframes Affected pnptemplates are: check_mk-enterasys_cpu_util, check_mk-esx_vsphere_hostsystem.cpu_usage, check_mk-innovaphone_cpu --- .werks/941 | 8 ++++++++ ChangeLog | 1 + pnp-templates/check_mk-esx_vsphere_hostsystem.cpu_usage.php | 7 ++++--- 3 files changed, 13 insertions(+), 3 deletions(-) diff --git a/.werks/941 b/.werks/941 new file mode 100644 index 0000000..96f6c1f --- /dev/null +++ b/.werks/941 @@ -0,0 +1,8 @@ +Title: esx_vsphere_hostsystem.cpu_usage: pnpgraph now displays AVERAGE instead of MAX values in all timeframes +Level: 1 +Component: multisite +Version: 1.2.5i4 +Date: 1403539365 +Class: fix + +Affected pnptemplates are: check_mk-enterasys_cpu_util, check_mk-esx_vsphere_hostsystem.cpu_usage, check_mk-innovaphone_cpu diff --git a/ChangeLog b/ChangeLog index 4ddd575..7faf755 100644 --- a/ChangeLog +++ b/ChangeLog @@ -28,6 +28,7 @@ * 0938 FIX: logwatch: fixed incorrect display of warning messages * 0939 FIX: Fixed multisite exception caused by missing explanation text for a AUTODELETE event action * 0822 FIX: Sorting columns in view dashlets is now working again + * 0941 FIX: esx_vsphere_hostsystem.cpu_usage: pnpgraph now displays AVERAGE instead of MAX values in all timeframes... WATO: * 0987 New button for updating DNS cache... diff --git a/pnp-templates/check_mk-esx_vsphere_hostsystem.cpu_usage.php b/pnp-templates/check_mk-esx_vsphere_hostsystem.cpu_usage.php index 0896ac5..59b1603 100644 --- a/pnp-templates/check_mk-esx_vsphere_hostsystem.cpu_usage.php +++ b/pnp-templates/check_mk-esx_vsphere_hostsystem.cpu_usage.php @@ -27,6 +27,7 @@ $RRD = array(); foreach ($NAME as $i => $n) { $RRD[$n] = "$RRDFILE[$i]:$DS[$i]:MAX"; + $RRD_AVG[$n] = "$RRDFILE[$i]:$DS[$i]:AVERAGE"; $WARN[$n] = $WARN[$i]; $CRIT[$n] = $CRIT[$i]; $MIN[$n] = $MIN[$i]; @@ -40,7 +41,7 @@ $rightscale = 100.0 / $num_threads; $opt[1] = "--vertical-label 'Used CPU threads' --right-axis $rightscale:0 --right-axis-format '%4.1lf%%' --right-axis-label 'Utilization %' -l0 -ru $num_threads --title \"CPU Utilization for $hostname ($num_threads CPU threads)\" "; -$def[1] = "DEF:perc=$RRD[util] " +$def[1] = "DEF:perc=$RRD_AVG[util] " . "CDEF:util=perc,$num_threads,*,100,/ " ; @@ -58,8 +59,8 @@ $def[1] .= "AREA:util#60f020:\"Utilization\:\" " ; -if (isset($RRD["avg"])) { - $def[1] .= "DEF:aperc=$RRD[avg] ". +if (isset($RRD_AVG["avg"])) { + $def[1] .= "DEF:aperc=$RRD_AVG[avg] ". "CDEF:avg=aperc,$num_threads,*,100,/ ". "LINE:avg#004000:\"Averaged\: \" ". "GPRINT:aperc:LAST:\"%.1lf%%,\" ".

10 years

Check_MK Git: check_mk: Fix code injection for logged in users via automation url

by Lars Michelsen

Module: check_mk Branch: master Commit: 0fe2a45b299a8f5c5da332410eec2c45aac2ba1e URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=0fe2a45b299a8f… Author: Lars Michelsen <lm(a)mathias-kettner.de> Date: Mon Jun 23 16:01:20 2014 +0200 Fix code injection for logged in users via automation url This fixes CVSS 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C. The description: The check_mk applications uses insecure API calls, which allow an attacker to execute arbitrary code on the server by issuing just a single URL. The reason for this is the usage of the insecure "pickle" API call. Apparently this was modified as a security means from a former version, which used "eval"-like structures with untrusted input data. Anyhow, as the python API documentation clearly state, "pickle" should be considered unsafe as well, see: <tt>https://docs.python.org/2/library/pickle.html</tt>. The fix replaces <tt>pickle<tt> with a module called <tt>ast</tt>. Unfortunately this module is not available on Centos/RedHat 5.X and Debian 5. On these systems WATO still uses <tt>pickle</tt>, even with this fix. Note: This change makes the current Check_MK versions incompatible to older versions. In a mixed environment with old and new Check_MK versions or with old and newer Python versions you have to force WATO to use the old unsafe method by setting <tt>wato_legacy_eval = True<tt> in <tt>multisite.mk</tt>. This can also be done with the new global WATO setting Use unsafe legacy encoding for distributed WATO. Conflicts: web/plugins/config/wato.py --- .werks/984 | 28 ++++++++++++++++++++++++++++ ChangeLog | 2 ++ web/htdocs/wato.py | 14 ++++++++++++-- web/plugins/config/wato.py | 1 + web/plugins/wato/check_mk_configuration.py | 14 ++++++++++++++ 5 files changed, 57 insertions(+), 2 deletions(-) diff --git a/.werks/984 b/.werks/984 new file mode 100644 index 0000000..2af5ca2 --- /dev/null +++ b/.werks/984 @@ -0,0 +1,28 @@ +Title: Fix code injection for logged in users via automation url +Level: 2 +Component: wato +Class: incomp +State: unknown +Version: 1.2.5i4 +Date: 1401195677 + +This fixes CVSS 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C. The description: + +The check_mk applications uses insecure API calls, which allow an attacker +to execute arbitrary code on the server by issuing just a single URL. The +reason for this is the usage of the insecure "pickle" API call. Apparently +this was modified as a security means from a former version, which used +"eval"-like structures with untrusted input data. Anyhow, as the python API +documentation clearly state, "pickle" should be considered unsafe as well, +see: <tt>https://docs.python.org/2/library/pickle.html</tt>. + +The fix replaces <tt>pickle<tt> with a module called <tt>ast</tt>. Unfortunately +this module is not available on Centos/RedHat 5.X and Debian 5. On these +systems WATO still uses <tt>pickle</tt>, even with this fix. + +Note: This change makes the current Check_MK versions incompatible +to older versions. In a mixed environment with old and new Check_MK versions or with old +and newer Python versions you have to force WATO to use the old +unsafe method by setting <tt>wato_legacy_eval = True<tt> in <tt>multisite.mk</tt>. +This can also be done with the new global WATO setting Use unsafe legacy +encoding for distributed WATO. diff --git a/ChangeLog b/ChangeLog index 57219a8..4facaf0 100644 --- a/ChangeLog +++ b/ChangeLog @@ -32,6 +32,8 @@ * 0822 FIX: Sorting columns in view dashlets is now working again WATO: + * 0984 Fix code injection for logged in users via automation url... + NOTE: Please refer to the migration notes! * 0987 New button for updating DNS cache... * 0824 SEC: Valuespecs: Fixed several possible HTML injections in valuespecs... * 0813 FIX: LDAP: Improved slightly missleading logging of LDAP sync actions... diff --git a/web/htdocs/wato.py b/web/htdocs/wato.py index edf2644..972ea68 100644 --- a/web/htdocs/wato.py +++ b/web/htdocs/wato.py @@ -16964,12 +16964,22 @@ def validate_all_hosts(hostnames, force_all = False): # '----------------------------------------------------------------------' import base64 +try: + import ast +except: + ast = None def mk_eval(s): - return pickle.loads(base64.b64decode(s)) + if ast and not config.wato_legacy_eval: + return ast.literal_eval(base64.b64decode(s)) + else: + return pickle.loads(base64.b64decode(s)) def mk_repr(s): - return base64.b64encode(pickle.dumps(s)) + if ast and not config.wato_legacy_eval: + return base64.b64encode(repr(s)) + else: + return base64.b64encode(pickle.dumps(s)) # Returns true when at least one folder is defined in WATO def have_folders(): diff --git a/web/plugins/config/wato.py b/web/plugins/config/wato.py index 590a145..844ed8b 100644 --- a/web/plugins/config/wato.py +++ b/web/plugins/config/wato.py @@ -40,6 +40,7 @@ wato_write_nagvis_auth = False wato_use_git = False wato_hidden_users = [] wato_user_attrs = [] +wato_legacy_eval = False def tag_alias(tag): for entry in wato_host_tags: diff --git a/web/plugins/wato/check_mk_configuration.py b/web/plugins/wato/check_mk_configuration.py index dd48836..4a0aaac 100644 --- a/web/plugins/wato/check_mk_configuration.py +++ b/web/plugins/wato/check_mk_configuration.py @@ -483,6 +483,20 @@ register_configvar(group, domain = "multisite" ) +register_configvar(group, + "wato_legacy_eval", + Checkbox( + title = _("Use unsafe legacy encoding for distributed WATO"), + help = _("The current implementation of WATO uses a Python module called <tt>ast</tt> for the " + "communication between sites. Previous versions of Check_MK used an insecure encoding " + "named <tt>pickle</tt>. Even in the current version WATO falls back to <tt>pickle</tt> " + "if your Python version is not recent enough. This is at least the case for RedHat/CentOS 5.X " + "and Debian 5.0. In a mixed environment you can force using the legacy <tt>pickle</tt> format " + "in order to create compatibility."), + ), + domain = "multisite" +) + register_configvar(group, "wato_hide_filenames",

10 years

Check_MK Git: check_mk: FIX Fix security issue in code of row selections ( checkboxes) (CVSS 4.9 AV:N/AC:M/Au:S/C:N/I:P/A:P)

by Mathias Kettner

Module: check_mk Branch: master Commit: 78c0c2779393a822f62924c662b8022572a1be9c URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=78c0c2779393a8… Author: Mathias Kettner <mk(a)mathias-kettner.de> Date: Tue May 27 11:59:11 2014 +0200 FIX Fix security issue in code of row selections (checkboxes) (CVSS 4.9 AV:N/AC:M/Au:S/C:N/I:P/A:P) The fixed weakness was: The check_mk application does allow an attacker to write check_mk config files (.mk files) on arbitrary locations on the server filesystem. --- .werks/983 | 12 ++++++++++++ ChangeLog | 1 + web/htdocs/weblib.py | 9 ++++++++- 3 files changed, 21 insertions(+), 1 deletion(-) diff --git a/.werks/983 b/.werks/983 new file mode 100644 index 0000000..ae7e8f7 --- /dev/null +++ b/.werks/983 @@ -0,0 +1,12 @@ +Title: Fix security issue in code of row selections (checkboxes) (CVSS 4.9 AV:N/AC:M/Au:S/C:N/I:P/A:P) +Level: 2 +Component: multisite +Class: security +State: unknown +Version: 1.2.5i4 +Date: 1401184643 + +The fixed weakness was: + +The check_mk application does allow an attacker to write check_mk config files +(.mk files) on arbitrary locations on the server filesystem. diff --git a/ChangeLog b/ChangeLog index 7b578f3..57219a8 100644 --- a/ChangeLog +++ b/ChangeLog @@ -23,6 +23,7 @@ Multisite: * 0982 SEC: Fix two XSS weaknesses according to CVSS 8.5 AV:N/AC:M/Au:S/C:C/I:C/A:C... + * 0983 SEC: Fix security issue in code of row selections (checkboxes) (CVSS 4.9 AV:N/AC:M/Au:S/C:N/I:P/A:P)... * 0934 FIX: Logwatch messages with class unknown ( 'u' ) now displayed as WARN... * 0166 FIX: mobile gui: Fixed colors of command list... * 0820 FIX: Fixed wrong NagVis links in "custom links" snapin diff --git a/web/htdocs/weblib.py b/web/htdocs/weblib.py index f3c6022..f00ccef 100644 --- a/web/htdocs/weblib.py +++ b/web/htdocs/weblib.py @@ -26,6 +26,7 @@ import config import lib +import re def ajax_tree_openclose(): html.load_tree_states() @@ -78,7 +79,13 @@ def selection_id(): if not html.has_var('selection'): sel_id = lib.gen_id() html.add_var('selection', sel_id) - return html.var('selection') + else: + sel_id = html.var('selection') + # Avoid illegal file access by introducing .. or / + if not re.match("^[-0-9a-zA-Z]+$", sel_id): + return lib.gen_id() + else: + return sel_id def get_rowselection(ident): vo = config.load_user_file("rowselection/%s" % selection_id(), {})

10 years

Check_MK Git: check_mk: FIX Fix two XSS weaknesses according to CVSS 8.5 AV :N/AC:M/Au:S/C:C/I:C/A:C

by Mathias Kettner

Module: check_mk Branch: master Commit: 076468b10e660abdeaaaa6c459a4aa3ce8e07722 URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=076468b10e660a… Author: Mathias Kettner <mk(a)mathias-kettner.de> Date: Tue May 27 11:46:07 2014 +0200 FIX Fix two XSS weaknesses according to CVSS 8.5 AV:N/AC:M/Au:S/C:C/I:C/A:C This fixes the following issue: The check_mk application is susceptible to reflected XSS attacks. This is mainly the result of inproper output encoding. Reflected XSS can be triggered by sending a malicious URL to a user of the check_mk application. Once the XSS attack is triggered, the attacker has access to the full check_mk (and nagios) application with the access rights of the logged in victim. The fix applies to the function: htmllib.py: render_status_icons() actions.py: ajax_action() --- .werks/982 | 20 ++++++++++++++++++++ ChangeLog | 1 + web/htdocs/actions.py | 2 +- web/htdocs/htmllib.py | 2 +- 4 files changed, 23 insertions(+), 2 deletions(-) diff --git a/.werks/982 b/.werks/982 new file mode 100644 index 0000000..0ff464c --- /dev/null +++ b/.werks/982 @@ -0,0 +1,20 @@ +Title: Fix two XSS weaknesses according to CVSS 8.5 AV:N/AC:M/Au:S/C:C/I:C/A:C +Level: 2 +Component: multisite +Class: security +State: unknown +Version: 1.2.5i4 +Date: 1401183811 + +This fixes the following issue: + +The check_mk application is susceptible to reflected XSS attacks. This is +mainly the result of inproper output encoding. Reflected XSS can be triggered +by sending a malicious URL to a user of the check_mk application. Once the +XSS attack is triggered, the attacker has access to the full check_mk (and +nagios) application with the access rights of the logged in victim. + +The fix applies to the function: + +htmllib.py: render_status_icons() +actions.py: ajax_action() diff --git a/ChangeLog b/ChangeLog index 4ddd575..7b578f3 100644 --- a/ChangeLog +++ b/ChangeLog @@ -22,6 +22,7 @@ * 0823 FIX: mk_sap: Fixed some wrong calculated values (decimal numbers)... Multisite: + * 0982 SEC: Fix two XSS weaknesses according to CVSS 8.5 AV:N/AC:M/Au:S/C:C/I:C/A:C... * 0934 FIX: Logwatch messages with class unknown ( 'u' ) now displayed as WARN... * 0166 FIX: mobile gui: Fixed colors of command list... * 0820 FIX: Fixed wrong NagVis links in "custom links" snapin diff --git a/web/htdocs/actions.py b/web/htdocs/actions.py index 20e9ebd..05e894e 100644 --- a/web/htdocs/actions.py +++ b/web/htdocs/actions.py @@ -34,7 +34,7 @@ def ajax_action(): if action == "reschedule": action_reschedule() else: - raise MKGeneralException("Invalid action '%s'" % action) + raise MKGeneralException("Invalid action.") except Exception, e: html.write("['ERROR', %r]\n" % str(e)) diff --git a/web/htdocs/htmllib.py b/web/htdocs/htmllib.py index eceb14b..afde184 100644 --- a/web/htdocs/htmllib.py +++ b/web/htdocs/htmllib.py @@ -244,7 +244,7 @@ class html: vars = [ i for i in vars if not i[0].startswith(remove_prefix) ] vars = vars + addvars if filename == None: - filename = self.myfile + ".py" + filename = self.urlencode(self.myfile) + ".py" if vars: return filename + "?" + self.urlencode_vars(vars) else:

10 years

← Newer
1
2
3
4
5
6
7
8
...
14
Older →

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

Checkmk git commits June 2014