[checkmk-commits] 6615 SEC Fixed unauthorized access to master control actions

Module: check_mk Branch: master Commit: 3e586750d45011fca465255518aa90a97935aa0a URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=3e586750d45011… Author: Lars Michelsen <lm(a)mathias-kettner.de> Date: Fri Sep 14 09:05:09 2018 +0200 6615 SEC Fixed unauthorized access to master control actions As an authenticated guest user it was possible to gain unauthorized access to the master control snapin actions event if it is not possible to open the master control snapin. The vulnerability could be used to disable the complete monitoring or trigger other actions like disabling notifications. Change-Id: Ibc5c9f8b2183cee7444548a3f2e0c7392351dcaa --- .werks/6615 | 13 +++++++++++++ cmk/gui/plugins/sidebar/master_control.py | 5 +++++ 2 files changed, 18 insertions(+) diff --git a/.werks/6615 b/.werks/6615 new file mode 100644 index 0000000..44c6098 --- /dev/null +++ b/.werks/6615 @@ -0,0 +1,13 @@ +Title: Fixed unauthorized access to master control actions +Level: 2 +Component: multisite +Compatible: compat +Edition: cre +Version: 1.6.0i1 +Date: 1536908316 +Class: security + +As an authenticated guest user it was possible to gain unauthorized access to +the master control snapin actions event if it is not possible to open the +master control snapin. The vulnerability could be used to disable the complete +monitoring or trigger other actions like disabling notifications. diff --git a/cmk/gui/plugins/sidebar/master_control.py b/cmk/gui/plugins/sidebar/master_control.py index c360f47..319c573 100644 --- a/cmk/gui/plugins/sidebar/master_control.py +++ b/cmk/gui/plugins/sidebar/master_control.py @@ -175,6 +175,11 @@ div.snapin table.master_control td img.iconbutton { def _ajax_switch_masterstate(self): + html.set_output_format("json") + + if not config.user.may("sidesnap.master_control"): + return + site = html.var("site") column = html.var("switch") state = int(html.var("state"))