[checkmk-commits] 3970 SEC Fixed possible URL injection on index page

Module: check_mk Branch: master Commit: deb742277a669b8ec9865fb502ad156b1db61014 URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=deb742277a669b… Author: Lars Michelsen <lm(a)mathias-kettner.de> Date: Mon Oct 24 10:06:27 2016 +0200 3970 SEC Fixed possible URL injection on index page Till this version it was possible to inject authenticated users external URLs as start URLs for their GUI. An attacker could use this to make an authenticated GUI user open a page of his choice when the user clicks on a prepared link. One example URL which could be used: "index.py?start_url=//heise.de". --- .werks/3970 | 16 ++++++++++++++++ ChangeLog | 1 + web/htdocs/main.py | 17 ++++++++++++++--- 3 files changed, 31 insertions(+), 3 deletions(-) diff --git a/.werks/3970 b/.werks/3970 new file mode 100644 index 0000000..65dc504 --- /dev/null +++ b/.werks/3970 @@ -0,0 +1,16 @@ +Title: Fixed possible URL injection on index page +Level: 1 +Component: multisite +Class: security +Compatible: compat +State: unknown +Version: 1.4.0i2 +Date: 1477295864 + +Till this version it was possible to inject authenticated users external URLs +as start URLs for their GUI. + +An attacker could use this to make an authenticated GUI user open a page of his +choice when the user clicks on a prepared link. + +One example URL which could be used: "index.py?start_url=//heise.de". diff --git a/ChangeLog b/ChangeLog index 30dee88..fd15f54 100644 --- a/ChangeLog +++ b/ChangeLog @@ -42,6 +42,7 @@ Multisite: * 3959 Two new filters for the comment view: author and comment text field + * 3970 SEC: Fixed possible URL injection on index page... * 3897 FIX: Fixed possible exception in raw edition when rendering graphs * 3898 FIX: Unmonitored services: Fixed possible bug in case discovery service produces unexpected output * 3902 FIX: Graph search view: Changing painter options made page empty diff --git a/web/htdocs/main.py b/web/htdocs/main.py index 97a6981..c1a93d2 100644 --- a/web/htdocs/main.py +++ b/web/htdocs/main.py @@ -26,17 +26,28 @@ import config +import urlparse +import re + def page_index(): default_start_url = config.user.get_attribute("start_url") or config.start_url start_url = html.var("start_url", default_start_url).strip() # Prevent redirecting to absolute URL which could be used to redirect # users to compromised pages. - if '://' in start_url: + # Also prevent using of "javascript:" URLs which could used to inject code + parsed = urlparse.urlparse(start_url) + + # Don't allow the user to set a URL scheme + if parsed.scheme != "": start_url = default_start_url - # Also prevent using of "javascript:" URLs which could used to inject code - if start_url.lower().startswith('javascript:'): + # Don't allow the user to set a network location + if parsed.netloc != "": + start_url = default_start_url + + # Don't allow bad characters in path + if not re.match("[/a-z0-9_\.-]*$", parsed.path): start_url = default_start_url if "%s" in config.page_heading: