[checkmk-commits] 6622 SEC Fixed possible open redirect on login page

Module: check_mk Branch: master Commit: 01a589a8ac777aa3f984bcc484e09ca44b1ac040 URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=01a589a8ac777a… Author: Lars Michelsen <lm(a)mathias-kettner.de> Date: Mon Sep 17 20:40:40 2018 +0200 6622 SEC Fixed possible open redirect on login page It was possible to redirect an user to external websites through manipulating GET parameters. To exploit this vulnerability, an attacker needs to trick a user into following a crafted URL. The attack only works if the user does not notice that he is redirected to a different URL. Change-Id: I072a6e1b49cd33a104f9c0c26113b29f46e2a86d --- .werks/6622 | 13 +++++++++++++ cmk/gui/login.py | 5 ++++- 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/.werks/6622 b/.werks/6622 new file mode 100644 index 0000000..e8fdd4c --- /dev/null +++ b/.werks/6622 @@ -0,0 +1,13 @@ +Title: Fixed possible open redirect on login page +Level: 1 +Component: multisite +Compatible: compat +Edition: cre +Version: 1.6.0i1 +Date: 1537209561 +Class: security + +It was possible to redirect an user to external websites through manipulating +GET parameters. To exploit this vulnerability, an attacker needs to trick a +user into following a crafted URL. The attack only works if the user does not +notice that he is redirected to a different URL. diff --git a/cmk/gui/login.py b/cmk/gui/login.py index 27dc61a..c7d8a9b 100644 --- a/cmk/gui/login.py +++ b/cmk/gui/login.py @@ -371,7 +371,7 @@ def do_login(): # - logout.py: Happens after login # - side.py: Happens when invalid login is detected during sidebar refresh # - Full qualified URLs (http://...) to prevent redirection attacks - if not origtarget or "logout.py" in origtarget or 'side.py' in origtarget or '://' in origtarget: + if not origtarget or "logout.py" in origtarget or 'side.py' in origtarget or not utils.is_allowed_url(origtarget): origtarget = config.url_prefix() + 'check_mk/' # None -> User unknown, means continue with other connectors @@ -438,6 +438,9 @@ def normal_login_page(called_directly = True): html.header(config.get_page_heading(), javascripts=[], stylesheets=["pages", "login"]) origtarget = html.var('_origtarget', '') + if not utils.is_allowed_url(origtarget): + origtarget = html.makeuri([]) + if not origtarget and not html.myfile in [ 'login', 'logout' ]: origtarget = html.makeuri([])