[checkmk-commits] 6613 SEC Fixed multiple reflected XSS in affecting sidebar snapin AJAX calls

Module: check_mk Branch: master Commit: 8d8df2c99afdc9731a0ffc98e2f5c909da366748 URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=8d8df2c99afdc9… Author: Lars Michelsen <lm(a)mathias-kettner.de> Date: Fri Sep 14 08:38:30 2018 +0200 6613 SEC Fixed multiple reflected XSS in affecting sidebar snapin AJAX calls Multiple parameters of several snapin AJAX calls were vulnerable to reflected XSS. The speedometer is accessible to all users with at least monitoring privileges. Change-Id: I6ea1d82537d7bf460f8e10104bf1b43ff8af3797 --- .werks/6613 | 12 ++++++++++++ cmk/gui/plugins/sidebar/site_status.py | 1 + cmk/gui/plugins/sidebar/speedometer.py | 1 + cmk/gui/plugins/sidebar/virtual_host_tree.py | 2 ++ cmk/gui/sidebar.py | 6 ++++++ 5 files changed, 22 insertions(+) diff --git a/.werks/6613 b/.werks/6613 new file mode 100644 index 0000000..f9361e6 --- /dev/null +++ b/.werks/6613 @@ -0,0 +1,12 @@ +Title: Fixed multiple reflected XSS in affecting sidebar snapin AJAX calls +Level: 1 +Component: multisite +Compatible: compat +Edition: cre +Version: 1.6.0i1 +Date: 1536907071 +Class: security + +Multiple parameters of several snapin AJAX calls were vulnerable to reflected +XSS. The speedometer is accessible to all users with at least monitoring +privileges. diff --git a/cmk/gui/plugins/sidebar/site_status.py b/cmk/gui/plugins/sidebar/site_status.py index 1edfe0a..5b69239 100644 --- a/cmk/gui/plugins/sidebar/site_status.py +++ b/cmk/gui/plugins/sidebar/site_status.py @@ -143,6 +143,7 @@ table.sitestate td.state { def _ajax_switch_site(self): + html.set_output_format("json") # _site_switch=sitename1:on,sitename2:off,... if not config.user.may("sidesnap.sitestatus"): return diff --git a/cmk/gui/plugins/sidebar/speedometer.py b/cmk/gui/plugins/sidebar/speedometer.py index 084f8ff..317cc97 100644 --- a/cmk/gui/plugins/sidebar/speedometer.py +++ b/cmk/gui/plugins/sidebar/speedometer.py @@ -199,6 +199,7 @@ canvas#speedometer { def _ajax_speedometer(self): + html.set_output_format("json") try: # Try to get values from last call in order to compute # driftig speedometer-needle and to reuse the scheduled diff --git a/cmk/gui/plugins/sidebar/virtual_host_tree.py b/cmk/gui/plugins/sidebar/virtual_host_tree.py index c06ef05..329e0ce 100644 --- a/cmk/gui/plugins/sidebar/virtual_host_tree.py +++ b/cmk/gui/plugins/sidebar/virtual_host_tree.py @@ -484,6 +484,7 @@ function virtual_host_tree_enter(path) def _ajax_tag_tree(self): + html.set_output_format("json") self._load() new_tree = html.var("tree_id") @@ -497,6 +498,7 @@ function virtual_host_tree_enter(path) # TODO: Validate path in current tree def _ajax_tag_tree_enter(self): + html.set_output_format("json") self._load() path = html.var("path").split("|") if html.var("path") else [] self._cwds[self._current_tree_id] = path diff --git a/cmk/gui/sidebar.py b/cmk/gui/sidebar.py index dd23e93..4eec8f1 100644 --- a/cmk/gui/sidebar.py +++ b/cmk/gui/sidebar.py @@ -590,6 +590,7 @@ def page_side(): @cmk.gui.pages.register("sidebar_snapin") def ajax_snapin(): """Renders and returns the contents of the requested sidebar snapin(s) in JSON format""" + html.set_output_format("json") # Update online state of the user (if enabled) userdb.update_user_access_time(config.user.id) @@ -634,6 +635,7 @@ def ajax_snapin(): @cmk.gui.pages.register("sidebar_fold") def ajax_fold(): + html.set_output_format("json") user_config = UserSidebarConfig(config.user, config.sidebar) user_config.folded = html.var("fold") == "yes" user_config.save() @@ -641,6 +643,7 @@ def ajax_fold(): @cmk.gui.pages.register("sidebar_openclose") def ajax_openclose(): + html.set_output_format("json") if not config.user.may("general.configure_sidebar"): return @@ -666,6 +669,7 @@ def ajax_openclose(): @cmk.gui.pages.register("sidebar_move_snapin") def move_snapin(): + html.set_output_format("json") if not config.user.may("general.configure_sidebar"): return @@ -695,6 +699,7 @@ def ajax_get_messages(): @cmk.gui.pages.register("sidebar_message_read") def ajax_message_read(): + html.set_output_format("json") try: notify.delete_gui_message(html.var('id')) html.write("OK") @@ -845,6 +850,7 @@ class PageAddSnapin(object): # TODO: This is snapin specific. Move this handler to the snapin file @cmk.gui.pages.register("sidebar_ajax_set_snapin_site") def ajax_set_snapin_site(): + html.set_output_format("json") ident = html.var("ident") if ident not in snapin_registry: raise MKUserError(None, _("Invalid ident"))