Module: check_mk
Branch: master
Commit: 01a589a8ac777aa3f984bcc484e09ca44b1ac040
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=01a589a8ac777a…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Mon Sep 17 20:40:40 2018 +0200
6622 SEC Fixed possible open redirect on login page
It was possible to redirect an user to external websites through manipulating
GET parameters. To exploit this vulnerability, an attacker needs to trick a
user into following a crafted URL. The attack only works if the user does not
notice that he is redirected to a different URL.
Change-Id: I072a6e1b49cd33a104f9c0c26113b29f46e2a86d
---
.werks/6622 | 13 +++++++++++++
cmk/gui/login.py | 5 ++++-
2 files changed, 17 insertions(+), 1 deletion(-)
diff --git a/.werks/6622 b/.werks/6622
new file mode 100644
index 0000000..e8fdd4c
--- /dev/null
+++ b/.werks/6622
@@ -0,0 +1,13 @@
+Title: Fixed possible open redirect on login page
+Level: 1
+Component: multisite
+Compatible: compat
+Edition: cre
+Version: 1.6.0i1
+Date: 1537209561
+Class: security
+
+It was possible to redirect an user to external websites through manipulating
+GET parameters. To exploit this vulnerability, an attacker needs to trick a
+user into following a crafted URL. The attack only works if the user does not
+notice that he is redirected to a different URL.
diff --git a/cmk/gui/login.py b/cmk/gui/login.py
index 27dc61a..c7d8a9b 100644
--- a/cmk/gui/login.py
+++ b/cmk/gui/login.py
@@ -371,7 +371,7 @@ def do_login():
# - logout.py: Happens after login
# - side.py: Happens when invalid login is detected during sidebar refresh
# - Full qualified URLs (http://...) to prevent redirection attacks
- if not origtarget or "logout.py" in origtarget or 'side.py'
in origtarget or '://' in origtarget:
+ if not origtarget or "logout.py" in origtarget or 'side.py'
in origtarget or not utils.is_allowed_url(origtarget):
origtarget = config.url_prefix() + 'check_mk/'
# None -> User unknown, means continue with other connectors
@@ -438,6 +438,9 @@ def normal_login_page(called_directly = True):
html.header(config.get_page_heading(), javascripts=[],
stylesheets=["pages", "login"])
origtarget = html.var('_origtarget', '')
+ if not utils.is_allowed_url(origtarget):
+ origtarget = html.makeuri([])
+
if not origtarget and not html.myfile in [ 'login', 'logout' ]:
origtarget = html.makeuri([])