Module: check_mk
Branch: master
Commit: 673f0addeeb867f3c620d0bcbc1d43ac14783492
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=673f0addeeb867…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Fri Sep 18 10:08:10 2015 +0200
#2612 SEC Fixed possible XSS on service detail page using the long service output
Normaly all check results displayed in the GUI are HTML escaped by default.
The escaping was missing for the long service output of the service detail
page. So one could create multi line check results containing HTML/Javascript
code which would be executed when a user opens the service detail page of
the service with the check result containing the injected code.
The issue has been fixed by escaping the long output exactly like the normal
plugin output. One difference is left: newline characters are replaced by
HTML newlines to make displaying of multiple lines still possible.
If you want the old behaviour back, you can disable the plugin output escaping
using the global settings. But please note that an attacker might be able to
inject javascript code.
---
.werks/2612 | 23 +++++++++++++++++++++++
ChangeLog | 1 +
web/plugins/views/painters.py | 2 +-
3 files changed, 25 insertions(+), 1 deletion(-)
diff --git a/.werks/2612 b/.werks/2612
new file mode 100644
index 0000000..bc65f16
--- /dev/null
+++ b/.werks/2612
@@ -0,0 +1,23 @@
+Title: Fixed possible XSS on service detail page using the long service output
+Level: 2
+Component: multisite
+Class: security
+Compatible: compat
+State: unknown
+Version: 1.2.7i3
+Date: 1442563370
+
+Normaly all check results displayed in the GUI are HTML escaped by default.
+The escaping was missing for the long service output of the service detail
+page. So one could create multi line check results containing HTML/Javascript
+code which would be executed when a user opens the service detail page of
+the service with the check result containing the injected code.
+
+The issue has been fixed by escaping the long output exactly like the normal
+plugin output. One difference is left: newline characters are replaced by
+HTML newlines to make displaying of multiple lines still possible.
+
+If you want the old behaviour back, you can disable the plugin output escaping
+using the global settings. But please note that an attacker might be able to
+inject javascript code.
+
diff --git a/ChangeLog b/ChangeLog
index 759efe1..d439275 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -208,6 +208,7 @@
* 2501 Implemented new crash report handling...
* 2491 Allow clickable URLs in comments and downtime texts...
* 2512 Custom Icons/Actions: URLs target frames can now be configured...
+ * 2612 SEC: Fixed possible XSS on service detail page using the long service
output...
* 2314 FIX: Availability: fixed exception when grouping by host or service group
* 2361 FIX: Fix exception for missing key 'title' in certain cases of older
customized views
* 2379 FIX: Plugin-Output: Fixed handling of URLs within output of check_http...
diff --git a/web/plugins/views/painters.py b/web/plugins/views/painters.py
index fd085cf..f72e398 100644
--- a/web/plugins/views/painters.py
+++ b/web/plugins/views/painters.py
@@ -517,7 +517,7 @@ multisite_painters["svc_long_plugin_output"] = {
"title" : _("Long output of check plugin (multiline)"),
"short" : _("Status detail"),
"columns" : ["service_long_plugin_output"],
- "paint" : lambda row: paint_stalified(row,
row["service_long_plugin_output"].replace('\\n',
'<br>').replace('\n', '<br>')),
+ "paint" : lambda row: paint_stalified(row,
format_plugin_output(row["service_long_plugin_output"],
row).replace('\\n', '<br>').replace('\n',
'<br>')),
}
multisite_painters["svc_perf_data"] = {
"title" : _("Service performance data"),