Module: check_mk
Branch: master
Commit: 258a71a2d23440bb65ba6d8352d97dbacce55433
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=258a71a2d23440…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Mon Sep 17 20:14:59 2018 +0200
6621 SEC Add permission to prevent users from editing "Deploy custom files with agent" rule set
Using the rule set "Deploy custom files with agent" it is possible to select custom files
to be distributed with the agents built using the Agent Bakery. As this is rule set may
add custom executable code to the agents it makes sense to be able to control the permission
for this more explicitly.
If you want to make sure that administrative users can not add those custom files to the
agents, you can now use the rule set "Configure custom agent file deployments" to revoke
this permission.
Change-Id: Iaf9c5d8b763d1f6d24decf8dceed5282dbf85e71
---
.werks/6621 | 17 +++++++++++++++++
cmk/gui/plugins/wato/utils/__init__.py | 2 ++
2 files changed, 19 insertions(+)
diff --git a/.werks/6621 b/.werks/6621
new file mode 100644
index 0000000..d2fa9d1
--- /dev/null
+++ b/.werks/6621
@@ -0,0 +1,17 @@
+Title: Add permission to prevent users from editing "Deploy custom files with agent" rule set
+Level: 1
+Component: agents
+Compatible: compat
+Edition: cee
+Version: 1.6.0i1
+Date: 1537207681
+Class: security
+
+Using the rule set "Deploy custom files with agent" it is possible to select custom files
+to be distributed with the agents built using the Agent Bakery. As this is rule set may
+add custom executable code to the agents it makes sense to be able to control the permission
+for this more explicitly.
+
+If you want to make sure that administrative users can not add those custom files to the
+agents, you can now use the rule set "Configure custom agent file deployments" to revoke
+this permission.
diff --git a/cmk/gui/plugins/wato/utils/__init__.py b/cmk/gui/plugins/wato/utils/__init__.py
index fdab5c4..c5fbb79 100644
--- a/cmk/gui/plugins/wato/utils/__init__.py
+++ b/cmk/gui/plugins/wato/utils/__init__.py
@@ -987,6 +987,8 @@ def may_edit_ruleset(varname):
return config.user.may("wato.services") or config.user.may("wato.rulesets")
elif varname in [ "custom_checks", "datasource_programs" ]:
return config.user.may("wato.rulesets") and config.user.may("wato.add_or_modify_executables")
+ elif varname == "agent_config:custom_files":
+ return config.user.may("wato.rulesets") and config.user.may("wato.agent_deploy_custom_files")
else:
return config.user.may("wato.rulesets")
Module: check_mk
Branch: master
Commit: 9d7c66700a846f5c83af9c0562558db91aea5af9
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=9d7c66700a846f…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Thu Sep 13 19:53:40 2018 +0200
6566 SEC Fixed possible XSS on agent update status views
Parts of the agent deployment status could be used to trigger XSS injections.
Change-Id: I470506da8e73d093c3d556f84c214f9debe14649
---
.werks/6566 | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/.werks/6566 b/.werks/6566
new file mode 100644
index 0000000..404477d
--- /dev/null
+++ b/.werks/6566
@@ -0,0 +1,10 @@
+Title: Fixed possible XSS on agent update status views
+Level: 1
+Component: agents
+Compatible: compat
+Edition: cee
+Version: 1.6.0i1
+Date: 1536861157
+Class: security
+
+Parts of the agent deployment status could be used to trigger XSS injections.
Module: check_mk
Branch: master
Commit: ae7bfc05258302905f95bc553f595fb10bd7fd4a
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=ae7bfc05258302…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Thu Sep 13 20:32:35 2018 +0200
6610 SEC Fixed possible XSS using the dokuwiki snapin
The content of the DokuWiki page named "sidebar" was inserted into the DokuWiki
view of Check_MK, but was is not correctly sanitized. This can only be done by
an administrator of the page, but every user who can access the DokuWiki view
was affected by the vulnerability.
Change-Id: I6c36e9d0459465257f840a2b6220f775c9d23541
---
.werks/6610 | 13 +++++++++++++
cmk/gui/plugins/sidebar/shipped.py | 2 +-
2 files changed, 14 insertions(+), 1 deletion(-)
diff --git a/.werks/6610 b/.werks/6610
new file mode 100644
index 0000000..32804e9
--- /dev/null
+++ b/.werks/6610
@@ -0,0 +1,13 @@
+Title: Fixed possible XSS using the dokuwiki snapin
+Level: 1
+Component: multisite
+Compatible: compat
+Edition: cre
+Version: 1.6.0i1
+Date: 1536863484
+Class: security
+
+The content of the DokuWiki page named "sidebar" was inserted into the DokuWiki
+view of Check_MK, but was is not correctly sanitized. This can only be done by
+an administrator of the page, but every user who can access the DokuWiki view
+was affected by the vulnerability.
diff --git a/cmk/gui/plugins/sidebar/shipped.py b/cmk/gui/plugins/sidebar/shipped.py
index 58c2e85..cc30456 100644
--- a/cmk/gui/plugins/sidebar/shipped.py
+++ b/cmk/gui/plugins/sidebar/shipped.py
@@ -675,7 +675,7 @@ def render_wiki():
bulletlink(name, "/%s/wiki/doku.php?id=%s" % (config.omd_site(), link))
else:
- html.write(line)
+ html.write_text(line)
if ul_started == True:
html.close_ul()
Module: check_mk
Branch: master
Commit: cbaf3a1aa7ed272351f3c608ac79dedf20fbea6e
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=cbaf3a1aa7ed27…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Thu Sep 13 20:08:41 2018 +0200
6567 SEC Fixed possible XSS on activate changes page
It was possible to trigger an XSS issue using the change messages
in some situations.
Change-Id: Iea724f0c3164c5685eb0564fc6d2143094507e43
---
.werks/6567 | 11 +++++++++++
cmk/gui/watolib.py | 6 ++++++
2 files changed, 17 insertions(+)
diff --git a/.werks/6567 b/.werks/6567
new file mode 100644
index 0000000..d89e952
--- /dev/null
+++ b/.werks/6567
@@ -0,0 +1,11 @@
+Title: Fixed possible XSS on activate changes page
+Level: 1
+Component: wato
+Compatible: compat
+Edition: cre
+Version: 1.6.0i1
+Date: 1536862088
+Class: security
+
+It was possible to trigger an XSS issue using the change messages
+in some situations.
diff --git a/cmk/gui/watolib.py b/cmk/gui/watolib.py
index 9022916..b91d36d 100644
--- a/cmk/gui/watolib.py
+++ b/cmk/gui/watolib.py
@@ -5152,6 +5152,12 @@ class ActivateChangesWriter(ActivateChanges):
else:
return obj.__class__.__name__, obj.ident()
+ # Using attrencode here is against our regular rule to do the escaping
+ # at the last possible time: When rendering. But this here is the last
+ # place where we can distinguish between HTML() encapsulated (already)
+ # escaped / allowed HTML and strings to be escaped.
+ text = html.attrencode(text)
+
self._save_change(site_id, {
"id" : change_id,
"action_name" : action_name,
Module: check_mk
Branch: master
Commit: 5fe3b85224edaf8e1fbe80081976ff3125335aaf
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=5fe3b85224edaf…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Fri Sep 14 08:32:08 2018 +0200
6612 SEC Fixed possible reflected XSS using back URLs in view editor
The parameter back of the following requests is vulnerable to reflected XSS.
This vulnerability affects the create/modify view page and requires at least
guest privileges. The victim has to click on the back button to trigger the
injected code.
Change-Id: I56d31e7e884cab576096496ab3676361e653d10d
---
.werks/6612 | 13 +++++++++++++
cmk/gui/main.py | 36 ++++++++++++------------------------
cmk/gui/utils.py | 21 +++++++++++++++++++++
cmk/gui/views.py | 2 ++
cmk/gui/visuals.py | 6 ++++++
5 files changed, 54 insertions(+), 24 deletions(-)
diff --git a/.werks/6612 b/.werks/6612
new file mode 100644
index 0000000..2d536b2
--- /dev/null
+++ b/.werks/6612
@@ -0,0 +1,13 @@
+Title: Fixed possible reflected XSS using back URLs in view editor
+Level: 1
+Component: multisite
+Compatible: compat
+Edition: cre
+Version: 1.6.0i1
+Date: 1536906650
+Class: security
+
+The parameter back of the following requests is vulnerable to reflected XSS.
+This vulnerability affects the create/modify view page and requires at least
+guest privileges. The victim has to click on the back button to trigger the
+injected code.
diff --git a/cmk/gui/main.py b/cmk/gui/main.py
index 08a3b3d..341c5db 100644
--- a/cmk/gui/main.py
+++ b/cmk/gui/main.py
@@ -24,36 +24,14 @@
# to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor,
# Boston, MA 02110-1301 USA.
-import urlparse
-import re
-
import cmk.gui.pages
import cmk.gui.config as config
+import cmk.gui.utils as utils
from cmk.gui.i18n import _
from cmk.gui.globals import html
@cmk.gui.pages.register("index")
def page_index():
- default_start_url = config.user.get_attribute("start_url") or config.start_url
- start_url = html.var_utf8("start_url", default_start_url).strip()
-
- # Prevent redirecting to absolute URL which could be used to redirect
- # users to compromised pages.
- # Also prevent using of "javascript:" URLs which could used to inject code
- parsed = urlparse.urlparse(start_url)
-
- # Don't allow the user to set a URL scheme
- if parsed.scheme != "":
- start_url = default_start_url
-
- # Don't allow the user to set a network location
- if parsed.netloc != "":
- start_url = default_start_url
-
- # Don't allow bad characters in path
- if not re.match(r"[/a-z0-9_\.-]*$", parsed.path):
- start_url = default_start_url
-
html.write('<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN" "http://www.w3.org/TR/html4/frameset.dtd">\n'
'<html><head>\n')
html.default_html_headers()
@@ -64,4 +42,14 @@ def page_index():
<frame src="%s" name="main" noresize>
</frameset>
</html>
-""" % (html.attrencode(config.get_page_heading()), html.attrencode(start_url)))
+""" % (html.attrencode(config.get_page_heading()), html.attrencode(_get_start_url())))
+
+
+def _get_start_url():
+ start_url = html.var_utf8("start_url", config.user.get_attribute("start_url") or config.start_url).strip()
+ # Prevent redirecting to absolute URL which could be used to redirect
+ # users to compromised pages.
+ if utils.is_allowed_url(start_url):
+ return start_url
+ else:
+ return "dashboard.py"
diff --git a/cmk/gui/utils.py b/cmk/gui/utils.py
index c67c4a3..fc29cc3 100644
--- a/cmk/gui/utils.py
+++ b/cmk/gui/utils.py
@@ -33,6 +33,7 @@ import os
import re
import uuid
import marshal
+import urlparse
import cmk.paths
@@ -86,6 +87,26 @@ def cmp_version(a, b):
return cmp(aa, bb)
+def is_allowed_url(url):
+ """Checks whether or not the given URL is a URL it is allowed to redirect the user to"""
+ # Also prevent using of "javascript:" URLs which could used to inject code
+ parsed = urlparse.urlparse(url)
+
+ # Don't allow the user to set a URL scheme
+ if parsed.scheme != "":
+ return False
+
+ # Don't allow the user to set a network location
+ if parsed.netloc != "":
+ return False
+
+ # Don't allow bad characters in path
+ if not re.match(r"[/a-z0-9_\.-]*$", parsed.path):
+ return False
+
+ return True
+
+
# TODO: Remove this helper function. Replace with explicit checks and covnersion
# in using code.
def savefloat(f):
diff --git a/cmk/gui/views.py b/cmk/gui/views.py
index 28a8b45..535115a 100644
--- a/cmk/gui/views.py
+++ b/cmk/gui/views.py
@@ -310,6 +310,8 @@ def page_create_view(next_url = None):
html.header(_('Create View'), stylesheets=["pages"])
html.begin_context_buttons()
back_url = html.var("back", "")
+ if not utils.is_allowed_url(back_url):
+ back_url = "edit_views.py"
html.context_button(_("Back"), back_url or "edit_views.py", "back")
html.end_context_buttons()
diff --git a/cmk/gui/visuals.py b/cmk/gui/visuals.py
index ce1688a..d19a6d2 100644
--- a/cmk/gui/visuals.py
+++ b/cmk/gui/visuals.py
@@ -540,6 +540,8 @@ def page_create_visual(what, info_keys, next_url = None):
html.header(_('Create %s') % title, stylesheets=["pages"])
html.begin_context_buttons()
back_url = html.var("back", "")
+ if not utils.is_allowed_url(back_url):
+ back_url = "edit_%s.py" % what
html.context_button(_("Back"), back_url or "edit_%s.py" % what, "back")
html.end_context_buttons()
@@ -735,6 +737,8 @@ def page_edit_visual(what, all_visuals, custom_field_handler = None,
html.header(title, stylesheets=["pages", "views", "status", "bi"])
html.begin_context_buttons()
back_url = html.var("back", "")
+ if not utils.is_allowed_url(back_url):
+ back_url = "edit_%s.py" % what
html.context_button(_("Back"), back_url or "edit_%s.py" % what, "back")
# Extra buttons to sub modules. These are used for things to edit about
@@ -856,6 +860,8 @@ def page_edit_visual(what, all_visuals, custom_field_handler = None,
back = html.var('back')
if not back:
back = 'edit_%s.py' % what
+ if not utils.is_allowed_url(back):
+ back = 'edit_%s.py' % what
if html.check_transaction():
all_visuals[(owner_user_id, visual["name"])] = visual