Module: check_mk
Branch: master
Commit: cf4c8dad7211fd648f7ef5c5e3787990e17e28a3
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=cf4c8dad7211fd…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Tue Sep 25 13:51:46 2018 +0200
6709 SEC Fixed possible information disclosure to apache log when ing users
An administrator has the ability to create new users. The entials of a
newly created user were visible within the HTML of the resulting web as
GET parameter of various hyperlinks. If one of these links was clicked, the
credentials were stored in the administrator’s browser history and he
access logs of the server.
CMK-967
Change-Id: I1be7051d97756b1fd4135b032833df18de63eee5
---
.werks/6709 | 15 +++++++++++++++
cmk/gui/wato/__init__.py | 18 +++++++++---------
2 files changed, 24 insertions(+), 9 deletions(-)
diff --git a/.werks/6709 b/.werks/6709
new file mode 100644
index 0000000..222b4df
--- /dev/null
+++ b/.werks/6709
@@ -0,0 +1,15 @@
+Title: Fixed possible information disclosure to apache log when editing users
+Level: 1
+Component: wato
+Class: security
+Compatible: compat
+Edition: cre
+State: unknown
+Version: 1.6.0i1
+Date: 1537538044
+
+An administrator has the ability to create new users. The credentials of a
+newly created user were visible within the HTML of the resulting web page as
+GET parameter of various hyperlinks. If one of these links was clicked, the
+credentials were stored in the administrator’s browser history and in the access
+logs of the server.
diff --git a/cmk/gui/wato/__init__.py b/cmk/gui/wato/__init__.py
index 100049d..474c151 100644
--- a/cmk/gui/wato/__init__.py
+++ b/cmk/gui/wato/__init__.py
@@ -9266,21 +9266,21 @@ class ModeEditUser(WatoMode):
# Authentication: Password or Secret
auth_method = html.var("authmethod")
if auth_method == "secret":
- secret = html.var("secret", "").strip()
+ secret = html.var("_auth_secret", "").strip()
user_attrs["automation_secret"] = secret
user_attrs["password"] = encrypt_password(secret)
increase_serial = True # password changed, reflect in auth serial
else:
- password = html.var("password_" + self._pw_suffix(),
'').strip()
- password2 = html.var("password2_" + self._pw_suffix(),
'').strip()
+ password = html.var("_password_" + self._pw_suffix(),
'').strip()
+ password2 = html.var("_password2_" + self._pw_suffix(),
'').strip()
# We compare both passwords only, if the user has supplied
# the repeation! We are so nice to our power users...
# Note: this validation is done before the main-validiation later on
# It doesn't make any sense to put this block into the main validation
function
if password2 and password != password2:
- raise MKUserError("password2", _("The both passwords do
not match."))
+ raise MKUserError("_password2", _("The both passwords do
not match."))
# Detect switch back from automation to password
if "automation_secret" in user_attrs:
@@ -9463,14 +9463,14 @@ class ModeEditUser(WatoMode):
html.open_td()
if not self._is_locked('password'):
- html.password_input("password_" + self._pw_suffix(),
autocomplete="new-password")
+ html.password_input("_password_" + self._pw_suffix(),
autocomplete="new-password")
html.close_td()
html.close_tr()
html.open_tr()
html.td(_("repeat:"))
html.open_td()
- html.password_input("password2_" + self._pw_suffix(),
autocomplete="new-password")
+ html.password_input("_password2_" + self._pw_suffix(),
autocomplete="new-password")
html.write_text(" (%s)" % _("optional"))
html.close_td()
html.close_tr()
@@ -9486,8 +9486,8 @@ class ModeEditUser(WatoMode):
html.write_text(_("Not permitted to change the password. Change can
not be enforced."))
else:
html.i(_('The password can not be changed (It is locked by the user
connector).'))
- html.hidden_field('password', '')
- html.hidden_field('password2', '')
+ html.hidden_field('_password', '')
+ html.hidden_field('_password2', '')
html.close_td()
html.close_tr()
@@ -9498,7 +9498,7 @@ class ModeEditUser(WatoMode):
_("Automation secret for machine accounts"))
html.open_ul()
- html.text_input("secret", self._user.get("automation_secret",
""), size=30,
+ html.text_input("_auth_secret",
self._user.get("automation_secret", ""), size=30,
id_="automation_secret")
html.write_text(" ")
html.open_b(style=["position: relative", "top: 4px;"])