Module: check_mk
Branch: master
Commit: 3e586750d45011fca465255518aa90a97935aa0a
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=3e586750d45011…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Fri Sep 14 09:05:09 2018 +0200
6615 SEC Fixed unauthorized access to master control actions
As an authenticated guest user it was possible to gain unauthorized access to
the master control snapin actions event if it is not possible to open the
master control snapin. The vulnerability could be used to disable the complete
monitoring or trigger other actions like disabling notifications.
Change-Id: Ibc5c9f8b2183cee7444548a3f2e0c7392351dcaa
---
.werks/6615 | 13 +++++++++++++
cmk/gui/plugins/sidebar/master_control.py | 5 +++++
2 files changed, 18 insertions(+)
diff --git a/.werks/6615 b/.werks/6615
new file mode 100644
index 0000000..44c6098
--- /dev/null
+++ b/.werks/6615
@@ -0,0 +1,13 @@
+Title: Fixed unauthorized access to master control actions
+Level: 2
+Component: multisite
+Compatible: compat
+Edition: cre
+Version: 1.6.0i1
+Date: 1536908316
+Class: security
+
+As an authenticated guest user it was possible to gain unauthorized access to
+the master control snapin actions event if it is not possible to open the
+master control snapin. The vulnerability could be used to disable the complete
+monitoring or trigger other actions like disabling notifications.
diff --git a/cmk/gui/plugins/sidebar/master_control.py
b/cmk/gui/plugins/sidebar/master_control.py
index c360f47..319c573 100644
--- a/cmk/gui/plugins/sidebar/master_control.py
+++ b/cmk/gui/plugins/sidebar/master_control.py
@@ -175,6 +175,11 @@ div.snapin table.master_control td img.iconbutton {
def _ajax_switch_masterstate(self):
+ html.set_output_format("json")
+
+ if not config.user.may("sidesnap.master_control"):
+ return
+
site = html.var("site")
column = html.var("switch")
state = int(html.var("state"))