[checkmk-commits] Check_MK Git: check_mk: FIX Fix two XSS weaknesses according to CVSS 8.5 AV :N/AC:M/Au:S/C:C/I:C/A:C

Module: check_mk Branch: master Commit: 076468b10e660abdeaaaa6c459a4aa3ce8e07722 URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=076468b10e660a… Author: Mathias Kettner <mk(a)mathias-kettner.de> Date: Tue May 27 11:46:07 2014 +0200 FIX Fix two XSS weaknesses according to CVSS 8.5 AV:N/AC:M/Au:S/C:C/I:C/A:C This fixes the following issue: The check_mk application is susceptible to reflected XSS attacks. This is mainly the result of inproper output encoding. Reflected XSS can be triggered by sending a malicious URL to a user of the check_mk application. Once the XSS attack is triggered, the attacker has access to the full check_mk (and nagios) application with the access rights of the logged in victim. The fix applies to the function: htmllib.py: render_status_icons() actions.py: ajax_action() --- .werks/982 | 20 ++++++++++++++++++++ ChangeLog | 1 + web/htdocs/actions.py | 2 +- web/htdocs/htmllib.py | 2 +- 4 files changed, 23 insertions(+), 2 deletions(-) diff --git a/.werks/982 b/.werks/982 new file mode 100644 index 0000000..0ff464c --- /dev/null +++ b/.werks/982 @@ -0,0 +1,20 @@ +Title: Fix two XSS weaknesses according to CVSS 8.5 AV:N/AC:M/Au:S/C:C/I:C/A:C +Level: 2 +Component: multisite +Class: security +State: unknown +Version: 1.2.5i4 +Date: 1401183811 + +This fixes the following issue: + +The check_mk application is susceptible to reflected XSS attacks. This is +mainly the result of inproper output encoding. Reflected XSS can be triggered +by sending a malicious URL to a user of the check_mk application. Once the +XSS attack is triggered, the attacker has access to the full check_mk (and +nagios) application with the access rights of the logged in victim. + +The fix applies to the function: + +htmllib.py: render_status_icons() +actions.py: ajax_action() diff --git a/ChangeLog b/ChangeLog index 4ddd575..7b578f3 100644 --- a/ChangeLog +++ b/ChangeLog @@ -22,6 +22,7 @@ * 0823 FIX: mk_sap: Fixed some wrong calculated values (decimal numbers)... Multisite: + * 0982 SEC: Fix two XSS weaknesses according to CVSS 8.5 AV:N/AC:M/Au:S/C:C/I:C/A:C... * 0934 FIX: Logwatch messages with class unknown ( 'u' ) now displayed as WARN... * 0166 FIX: mobile gui: Fixed colors of command list... * 0820 FIX: Fixed wrong NagVis links in "custom links" snapin diff --git a/web/htdocs/actions.py b/web/htdocs/actions.py index 20e9ebd..05e894e 100644 --- a/web/htdocs/actions.py +++ b/web/htdocs/actions.py @@ -34,7 +34,7 @@ def ajax_action(): if action == "reschedule": action_reschedule() else: - raise MKGeneralException("Invalid action '%s'" % action) + raise MKGeneralException("Invalid action.") except Exception, e: html.write("['ERROR', %r]\n" % str(e)) diff --git a/web/htdocs/htmllib.py b/web/htdocs/htmllib.py index eceb14b..afde184 100644 --- a/web/htdocs/htmllib.py +++ b/web/htdocs/htmllib.py @@ -244,7 +244,7 @@ class html: vars = [ i for i in vars if not i[0].startswith(remove_prefix) ] vars = vars + addvars if filename == None: - filename = self.myfile + ".py" + filename = self.urlencode(self.myfile) + ".py" if vars: return filename + "?" + self.urlencode_vars(vars) else: