[checkmk-commits] Check_MK Git: check_mk: #2612 SEC Fixed possible XSS on service detail page using the long service output

Module: check_mk Branch: master Commit: 673f0addeeb867f3c620d0bcbc1d43ac14783492 URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=673f0addeeb867… Author: Lars Michelsen &lt;lm(a)mathias-kettner.de&gt; Date: Fri Sep 18 10:08:10 2015 +0200 #2612 SEC Fixed possible XSS on service detail page using the long service output Normaly all check results displayed in the GUI are HTML escaped by default. The escaping was missing for the long service output of the service detail page. So one could create multi line check results containing HTML/Javascript code which would be executed when a user opens the service detail page of the service with the check result containing the injected code. The issue has been fixed by escaping the long output exactly like the normal plugin output. One difference is left: newline characters are replaced by HTML newlines to make displaying of multiple lines still possible. If you want the old behaviour back, you can disable the plugin output escaping using the global settings. But please note that an attacker might be able to inject javascript code. --- .werks/2612 | 23 +++++++++++++++++++++++ ChangeLog | 1 + web/plugins/views/painters.py | 2 +- 3 files changed, 25 insertions(+), 1 deletion(-) diff --git a/.werks/2612 b/.werks/2612 new file mode 100644 index 0000000..bc65f16 --- /dev/null +++ b/.werks/2612 @@ -0,0 +1,23 @@ +Title: Fixed possible XSS on service detail page using the long service output +Level: 2 +Component: multisite +Class: security +Compatible: compat +State: unknown +Version: 1.2.7i3 +Date: 1442563370 + +Normaly all check results displayed in the GUI are HTML escaped by default. +The escaping was missing for the long service output of the service detail +page. So one could create multi line check results containing HTML/Javascript +code which would be executed when a user opens the service detail page of +the service with the check result containing the injected code. + +The issue has been fixed by escaping the long output exactly like the normal +plugin output. One difference is left: newline characters are replaced by +HTML newlines to make displaying of multiple lines still possible. + +If you want the old behaviour back, you can disable the plugin output escaping +using the global settings. But please note that an attacker might be able to +inject javascript code. + diff --git a/ChangeLog b/ChangeLog index 759efe1..d439275 100644 --- a/ChangeLog +++ b/ChangeLog @@ -208,6 +208,7 @@ * 2501 Implemented new crash report handling... * 2491 Allow clickable URLs in comments and downtime texts... * 2512 Custom Icons/Actions: URLs target frames can now be configured... + * 2612 SEC: Fixed possible XSS on service detail page using the long service output... * 2314 FIX: Availability: fixed exception when grouping by host or service group * 2361 FIX: Fix exception for missing key 'title' in certain cases of older customized views * 2379 FIX: Plugin-Output: Fixed handling of URLs within output of check_http... diff --git a/web/plugins/views/painters.py b/web/plugins/views/painters.py index fd085cf..f72e398 100644 --- a/web/plugins/views/painters.py +++ b/web/plugins/views/painters.py @@ -517,7 +517,7 @@ multisite_painters["svc_long_plugin_output"] = { "title" : _("Long output of check plugin (multiline)"), "short" : _("Status detail"), "columns" : ["service_long_plugin_output"], - "paint" : lambda row: paint_stalified(row, row["service_long_plugin_output"].replace('\\n', '<br>').replace('\n', '<br>')), + "paint" : lambda row: paint_stalified(row, format_plugin_output(row["service_long_plugin_output"], row).replace('\\n', '<br>').replace('\n', '<br>')), } multisite_painters["svc_perf_data"] = { "title" : _("Service performance data"),