Module: check_mk
Branch: master
Commit: deb742277a669b8ec9865fb502ad156b1db61014
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=deb742277a669b…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Mon Oct 24 10:06:27 2016 +0200
3970 SEC Fixed possible URL injection on index page
Till this version it was possible to inject authenticated users external URLs
as start URLs for their GUI.
An attacker could use this to make an authenticated GUI user open a page of his
choice when the user clicks on a prepared link.
One example URL which could be used: "index.py?start_url=//heise.de".
---
.werks/3970 | 16 ++++++++++++++++
ChangeLog | 1 +
web/htdocs/main.py | 17 ++++++++++++++---
3 files changed, 31 insertions(+), 3 deletions(-)
diff --git a/.werks/3970 b/.werks/3970
new file mode 100644
index 0000000..65dc504
--- /dev/null
+++ b/.werks/3970
@@ -0,0 +1,16 @@
+Title: Fixed possible URL injection on index page
+Level: 1
+Component: multisite
+Class: security
+Compatible: compat
+State: unknown
+Version: 1.4.0i2
+Date: 1477295864
+
+Till this version it was possible to inject authenticated users external URLs
+as start URLs for their GUI.
+
+An attacker could use this to make an authenticated GUI user open a page of his
+choice when the user clicks on a prepared link.
+
+One example URL which could be used: "index.py?start_url=//heise.de".
diff --git a/ChangeLog b/ChangeLog
index 30dee88..fd15f54 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -42,6 +42,7 @@
Multisite:
* 3959 Two new filters for the comment view: author and comment text field
+ * 3970 SEC: Fixed possible URL injection on index page...
* 3897 FIX: Fixed possible exception in raw edition when rendering graphs
* 3898 FIX: Unmonitored services: Fixed possible bug in case discovery service
produces unexpected output
* 3902 FIX: Graph search view: Changing painter options made page empty
diff --git a/web/htdocs/main.py b/web/htdocs/main.py
index 97a6981..c1a93d2 100644
--- a/web/htdocs/main.py
+++ b/web/htdocs/main.py
@@ -26,17 +26,28 @@
import config
+import urlparse
+import re
+
def page_index():
default_start_url = config.user.get_attribute("start_url") or
config.start_url
start_url = html.var("start_url", default_start_url).strip()
# Prevent redirecting to absolute URL which could be used to redirect
# users to compromised pages.
- if '://' in start_url:
+ # Also prevent using of "javascript:" URLs which could used to inject code
+ parsed = urlparse.urlparse(start_url)
+
+ # Don't allow the user to set a URL scheme
+ if parsed.scheme != "":
start_url = default_start_url
- # Also prevent using of "javascript:" URLs which could used to inject code
- if start_url.lower().startswith('javascript:'):
+ # Don't allow the user to set a network location
+ if parsed.netloc != "":
+ start_url = default_start_url
+
+ # Don't allow bad characters in path
+ if not re.match("[/a-z0-9_\.-]*$", parsed.path):
start_url = default_start_url
if "%s" in config.page_heading: