Module: check_mk
Branch: master
Commit: 076468b10e660abdeaaaa6c459a4aa3ce8e07722
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=076468b10e660a…
Author: Mathias Kettner <mk(a)mathias-kettner.de>
Date: Tue May 27 11:46:07 2014 +0200
FIX Fix two XSS weaknesses according to CVSS 8.5 AV:N/AC:M/Au:S/C:C/I:C/A:C
This fixes the following issue:
The check_mk application is susceptible to reflected XSS attacks. This is
mainly the result of inproper output encoding. Reflected XSS can be triggered
by sending a malicious URL to a user of the check_mk application. Once the
XSS attack is triggered, the attacker has access to the full check_mk (and
nagios) application with the access rights of the logged in victim.
The fix applies to the function:
htmllib.py: render_status_icons()
actions.py: ajax_action()
---
.werks/982 | 20 ++++++++++++++++++++
ChangeLog | 1 +
web/htdocs/actions.py | 2 +-
web/htdocs/htmllib.py | 2 +-
4 files changed, 23 insertions(+), 2 deletions(-)
diff --git a/.werks/982 b/.werks/982
new file mode 100644
index 0000000..0ff464c
--- /dev/null
+++ b/.werks/982
@@ -0,0 +1,20 @@
+Title: Fix two XSS weaknesses according to CVSS 8.5 AV:N/AC:M/Au:S/C:C/I:C/A:C
+Level: 2
+Component: multisite
+Class: security
+State: unknown
+Version: 1.2.5i4
+Date: 1401183811
+
+This fixes the following issue:
+
+The check_mk application is susceptible to reflected XSS attacks. This is
+mainly the result of inproper output encoding. Reflected XSS can be triggered
+by sending a malicious URL to a user of the check_mk application. Once the
+XSS attack is triggered, the attacker has access to the full check_mk (and
+nagios) application with the access rights of the logged in victim.
+
+The fix applies to the function:
+
+htmllib.py: render_status_icons()
+actions.py: ajax_action()
diff --git a/ChangeLog b/ChangeLog
index 4ddd575..7b578f3 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -22,6 +22,7 @@
* 0823 FIX: mk_sap: Fixed some wrong calculated values (decimal numbers)...
Multisite:
+ * 0982 SEC: Fix two XSS weaknesses according to CVSS 8.5
AV:N/AC:M/Au:S/C:C/I:C/A:C...
* 0934 FIX: Logwatch messages with class unknown ( 'u' ) now displayed as
WARN...
* 0166 FIX: mobile gui: Fixed colors of command list...
* 0820 FIX: Fixed wrong NagVis links in "custom links" snapin
diff --git a/web/htdocs/actions.py b/web/htdocs/actions.py
index 20e9ebd..05e894e 100644
--- a/web/htdocs/actions.py
+++ b/web/htdocs/actions.py
@@ -34,7 +34,7 @@ def ajax_action():
if action == "reschedule":
action_reschedule()
else:
- raise MKGeneralException("Invalid action '%s'" % action)
+ raise MKGeneralException("Invalid action.")
except Exception, e:
html.write("['ERROR', %r]\n" % str(e))
diff --git a/web/htdocs/htmllib.py b/web/htdocs/htmllib.py
index eceb14b..afde184 100644
--- a/web/htdocs/htmllib.py
+++ b/web/htdocs/htmllib.py
@@ -244,7 +244,7 @@ class html:
vars = [ i for i in vars if not i[0].startswith(remove_prefix) ]
vars = vars + addvars
if filename == None:
- filename = self.myfile + ".py"
+ filename = self.urlencode(self.myfile) + ".py"
if vars:
return filename + "?" + self.urlencode_vars(vars)
else: