[checkmk-commits] [tribe29/checkmk] de49f9: Fix command injection vulnerability

Branch: refs/heads/2.1.0 Home: https://github.com/tribe29/checkmk Commit: de49f9f9b7611a8504aabfb5ffe3dea8c5fb16a6 https://github.com/tribe29/checkmk/commit/de49f9f9b7611a8504aabfb5ffe3dea8c… Author: Maximilian Wirtz &lt;maximilian.wirtz(a)tribe29.com&gt; Date: 2022-04-14 (Thu, 14 Apr 2022) Changed paths: A .werks/13897 M cmk/base/notify.py Log Message: ----------- Fix command injection vulnerability Previously to this Werk an attacker who could control certain notification variables such as <tt>NOTIFICATIONTYPE</tt> or <tt>HOSTNAME</tt> was able to inject commands to the fall-back mail command. The commands were then executed as site user. With this werk the variable <tt>MAIL_COMMAND</tt> is no longer available in notification scripts. You can reduce the risk of exploitation with disabling the listening of the notification spooler (the default is disabled) (CEE/CME only feature). All maintained versions (>=1.6) are subject to this vulnerability. It is likely that also previous versions were vulnerable. To detect possible exploitation <tt>var/log/mknotifyd.log</tt> and <tt>var/log/notify.log</tt> can be checked for special shell characters like <tt>&&</tt> and odd quoting. CMK-8780 Change-Id: I98236d1aa7854773862aee6fedcd669b09ba5fc0