Module: check_mk
Branch: master
Commit: 0fe2a45b299a8f5c5da332410eec2c45aac2ba1e
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=0fe2a45b299a8f…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Mon Jun 23 16:01:20 2014 +0200
Fix code injection for logged in users via automation url
This fixes CVSS 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C. The description:
<i>The check_mk applications uses insecure API calls, which allow an attacker
to execute arbitrary code on the server by issuing just a single URL. The
reason for this is the usage of the insecure "pickle" API call. Apparently
this was modified as a security means from a former version, which used
"eval"-like structures with untrusted input data. Anyhow, as the python API
documentation clearly state, "pickle" should be considered unsafe as well,
see: <tt>https://docs.python.org/2/library/pickle.html</tt>.</i>
The fix replaces <tt>pickle<tt> with a module called <tt>ast</tt>. Unfortunately
this module is not available on Centos/RedHat 5.X and Debian 5. On these
systems WATO still uses <tt>pickle</tt>, even with this fix.
<b>Note:</b> This change makes the current Check_MK versions incompatible
to older versions. In a mixed environment with old and new Check_MK versions or with old
and newer Python versions you have to force WATO to use the old
unsafe method by setting <tt>wato_legacy_eval = True<tt> in <tt>multisite.mk</tt>.
This can also be done with the new global WATO setting <i>Use unsafe legacy
encoding for distributed WATO</i>.
Conflicts:
web/plugins/config/wato.py
---
.werks/984 | 28 ++++++++++++++++++++++++++++
ChangeLog | 2 ++
web/htdocs/wato.py | 14 ++++++++++++--
web/plugins/config/wato.py | 1 +
web/plugins/wato/check_mk_configuration.py | 14 ++++++++++++++
5 files changed, 57 insertions(+), 2 deletions(-)
diff --git a/.werks/984 b/.werks/984
new file mode 100644
index 0000000..2af5ca2
--- /dev/null
+++ b/.werks/984
@@ -0,0 +1,28 @@
+Title: Fix code injection for logged in users via automation url
+Level: 2
+Component: wato
+Class: incomp
+State: unknown
+Version: 1.2.5i4
+Date: 1401195677
+
+This fixes CVSS 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C. The description:
+
+<i>The check_mk applications uses insecure API calls, which allow an attacker
+to execute arbitrary code on the server by issuing just a single URL. The
+reason for this is the usage of the insecure "pickle" API call. Apparently
+this was modified as a security means from a former version, which used
+"eval"-like structures with untrusted input data. Anyhow, as the python API
+documentation clearly state, "pickle" should be considered unsafe as well,
+see: <tt>https://docs.python.org/2/library/pickle.html</tt>.</i>
+
+The fix replaces <tt>pickle<tt> with a module called <tt>ast</tt>. Unfortunately
+this module is not available on Centos/RedHat 5.X and Debian 5. On these
+systems WATO still uses <tt>pickle</tt>, even with this fix.
+
+<b>Note:</b> This change makes the current Check_MK versions incompatible
+to older versions. In a mixed environment with old and new Check_MK versions or with old
+and newer Python versions you have to force WATO to use the old
+unsafe method by setting <tt>wato_legacy_eval = True<tt> in <tt>multisite.mk</tt>.
+This can also be done with the new global WATO setting <i>Use unsafe legacy
+encoding for distributed WATO</i>.
diff --git a/ChangeLog b/ChangeLog
index 57219a8..4facaf0 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -32,6 +32,8 @@
* 0822 FIX: Sorting columns in view dashlets is now working again
WATO:
+ * 0984 Fix code injection for logged in users via automation url...
+ NOTE: Please refer to the migration notes!
* 0987 New button for updating DNS cache...
* 0824 SEC: Valuespecs: Fixed several possible HTML injections in valuespecs...
* 0813 FIX: LDAP: Improved slightly missleading logging of LDAP sync actions...
diff --git a/web/htdocs/wato.py b/web/htdocs/wato.py
index edf2644..972ea68 100644
--- a/web/htdocs/wato.py
+++ b/web/htdocs/wato.py
@@ -16964,12 +16964,22 @@ def validate_all_hosts(hostnames, force_all = False):
# '----------------------------------------------------------------------'
import base64
+try:
+ import ast
+except:
+ ast = None
def mk_eval(s):
- return pickle.loads(base64.b64decode(s))
+ if ast and not config.wato_legacy_eval:
+ return ast.literal_eval(base64.b64decode(s))
+ else:
+ return pickle.loads(base64.b64decode(s))
def mk_repr(s):
- return base64.b64encode(pickle.dumps(s))
+ if ast and not config.wato_legacy_eval:
+ return base64.b64encode(repr(s))
+ else:
+ return base64.b64encode(pickle.dumps(s))
# Returns true when at least one folder is defined in WATO
def have_folders():
diff --git a/web/plugins/config/wato.py b/web/plugins/config/wato.py
index 590a145..844ed8b 100644
--- a/web/plugins/config/wato.py
+++ b/web/plugins/config/wato.py
@@ -40,6 +40,7 @@ wato_write_nagvis_auth = False
wato_use_git = False
wato_hidden_users = []
wato_user_attrs = []
+wato_legacy_eval = False
def tag_alias(tag):
for entry in wato_host_tags:
diff --git a/web/plugins/wato/check_mk_configuration.py b/web/plugins/wato/check_mk_configuration.py
index dd48836..4a0aaac 100644
--- a/web/plugins/wato/check_mk_configuration.py
+++ b/web/plugins/wato/check_mk_configuration.py
@@ -483,6 +483,20 @@ register_configvar(group,
domain = "multisite"
)
+register_configvar(group,
+ "wato_legacy_eval",
+ Checkbox(
+ title = _("Use unsafe legacy encoding for distributed WATO"),
+ help = _("The current implementation of WATO uses a Python module called <tt>ast</tt> for the "
+ "communication between sites. Previous versions of Check_MK used an insecure encoding "
+ "named <tt>pickle</tt>. Even in the current version WATO falls back to <tt>pickle</tt> "
+ "if your Python version is not recent enough. This is at least the case for RedHat/CentOS 5.X "
+ "and Debian 5.0. In a mixed environment you can force using the legacy <tt>pickle</tt> format "
+ "in order to create compatibility."),
+ ),
+ domain = "multisite"
+)
+
register_configvar(group,
"wato_hide_filenames",
Module: check_mk
Branch: master
Commit: 076468b10e660abdeaaaa6c459a4aa3ce8e07722
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=076468b10e660a…
Author: Mathias Kettner <mk(a)mathias-kettner.de>
Date: Tue May 27 11:46:07 2014 +0200
FIX Fix two XSS weaknesses according to CVSS 8.5 AV:N/AC:M/Au:S/C:C/I:C/A:C
This fixes the following issue:
The check_mk application is susceptible to reflected XSS attacks. This is
mainly the result of inproper output encoding. Reflected XSS can be triggered
by sending a malicious URL to a user of the check_mk application. Once the
XSS attack is triggered, the attacker has access to the full check_mk (and
nagios) application with the access rights of the logged in victim.
The fix applies to the function:
htmllib.py: render_status_icons()
actions.py: ajax_action()
---
.werks/982 | 20 ++++++++++++++++++++
ChangeLog | 1 +
web/htdocs/actions.py | 2 +-
web/htdocs/htmllib.py | 2 +-
4 files changed, 23 insertions(+), 2 deletions(-)
diff --git a/.werks/982 b/.werks/982
new file mode 100644
index 0000000..0ff464c
--- /dev/null
+++ b/.werks/982
@@ -0,0 +1,20 @@
+Title: Fix two XSS weaknesses according to CVSS 8.5 AV:N/AC:M/Au:S/C:C/I:C/A:C
+Level: 2
+Component: multisite
+Class: security
+State: unknown
+Version: 1.2.5i4
+Date: 1401183811
+
+This fixes the following issue:
+
+The check_mk application is susceptible to reflected XSS attacks. This is
+mainly the result of inproper output encoding. Reflected XSS can be triggered
+by sending a malicious URL to a user of the check_mk application. Once the
+XSS attack is triggered, the attacker has access to the full check_mk (and
+nagios) application with the access rights of the logged in victim.
+
+The fix applies to the function:
+
+htmllib.py: render_status_icons()
+actions.py: ajax_action()
diff --git a/ChangeLog b/ChangeLog
index 4ddd575..7b578f3 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -22,6 +22,7 @@
* 0823 FIX: mk_sap: Fixed some wrong calculated values (decimal numbers)...
Multisite:
+ * 0982 SEC: Fix two XSS weaknesses according to CVSS 8.5 AV:N/AC:M/Au:S/C:C/I:C/A:C...
* 0934 FIX: Logwatch messages with class unknown ( 'u' ) now displayed as WARN...
* 0166 FIX: mobile gui: Fixed colors of command list...
* 0820 FIX: Fixed wrong NagVis links in "custom links" snapin
diff --git a/web/htdocs/actions.py b/web/htdocs/actions.py
index 20e9ebd..05e894e 100644
--- a/web/htdocs/actions.py
+++ b/web/htdocs/actions.py
@@ -34,7 +34,7 @@ def ajax_action():
if action == "reschedule":
action_reschedule()
else:
- raise MKGeneralException("Invalid action '%s'" % action)
+ raise MKGeneralException("Invalid action.")
except Exception, e:
html.write("['ERROR', %r]\n" % str(e))
diff --git a/web/htdocs/htmllib.py b/web/htdocs/htmllib.py
index eceb14b..afde184 100644
--- a/web/htdocs/htmllib.py
+++ b/web/htdocs/htmllib.py
@@ -244,7 +244,7 @@ class html:
vars = [ i for i in vars if not i[0].startswith(remove_prefix) ]
vars = vars + addvars
if filename == None:
- filename = self.myfile + ".py"
+ filename = self.urlencode(self.myfile) + ".py"
if vars:
return filename + "?" + self.urlencode_vars(vars)
else: