[checkmk-commits] 6709 SEC Fixed possible information disclosure to apache log when ing users

Module: check_mk Branch: master Commit: cf4c8dad7211fd648f7ef5c5e3787990e17e28a3 URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=cf4c8dad7211fd… Author: Lars Michelsen <lm(a)mathias-kettner.de> Date: Tue Sep 25 13:51:46 2018 +0200 6709 SEC Fixed possible information disclosure to apache log when ing users An administrator has the ability to create new users. The entials of a newly created user were visible within the HTML of the resulting web as GET parameter of various hyperlinks. If one of these links was clicked, the credentials were stored in the administrator’s browser history and he access logs of the server. CMK-967 Change-Id: I1be7051d97756b1fd4135b032833df18de63eee5 --- .werks/6709 | 15 +++++++++++++++ cmk/gui/wato/__init__.py | 18 +++++++++--------- 2 files changed, 24 insertions(+), 9 deletions(-) diff --git a/.werks/6709 b/.werks/6709 new file mode 100644 index 0000000..222b4df --- /dev/null +++ b/.werks/6709 @@ -0,0 +1,15 @@ +Title: Fixed possible information disclosure to apache log when editing users +Level: 1 +Component: wato +Class: security +Compatible: compat +Edition: cre +State: unknown +Version: 1.6.0i1 +Date: 1537538044 + +An administrator has the ability to create new users. The credentials of a +newly created user were visible within the HTML of the resulting web page as +GET parameter of various hyperlinks. If one of these links was clicked, the +credentials were stored in the administrator’s browser history and in the access +logs of the server. diff --git a/cmk/gui/wato/__init__.py b/cmk/gui/wato/__init__.py index 100049d..474c151 100644 --- a/cmk/gui/wato/__init__.py +++ b/cmk/gui/wato/__init__.py @@ -9266,21 +9266,21 @@ class ModeEditUser(WatoMode): # Authentication: Password or Secret auth_method = html.var("authmethod") if auth_method == "secret": - secret = html.var("secret", "").strip() + secret = html.var("_auth_secret", "").strip() user_attrs["automation_secret"] = secret user_attrs["password"] = encrypt_password(secret) increase_serial = True # password changed, reflect in auth serial else: - password = html.var("password_" + self._pw_suffix(), '').strip() - password2 = html.var("password2_" + self._pw_suffix(), '').strip() + password = html.var("_password_" + self._pw_suffix(), '').strip() + password2 = html.var("_password2_" + self._pw_suffix(), '').strip() # We compare both passwords only, if the user has supplied # the repeation! We are so nice to our power users... # Note: this validation is done before the main-validiation later on # It doesn't make any sense to put this block into the main validation function if password2 and password != password2: - raise MKUserError("password2", _("The both passwords do not match.")) + raise MKUserError("_password2", _("The both passwords do not match.")) # Detect switch back from automation to password if "automation_secret" in user_attrs: @@ -9463,14 +9463,14 @@ class ModeEditUser(WatoMode): html.open_td() if not self._is_locked('password'): - html.password_input("password_" + self._pw_suffix(), autocomplete="new-password") + html.password_input("_password_" + self._pw_suffix(), autocomplete="new-password") html.close_td() html.close_tr() html.open_tr() html.td(_("repeat:")) html.open_td() - html.password_input("password2_" + self._pw_suffix(), autocomplete="new-password") + html.password_input("_password2_" + self._pw_suffix(), autocomplete="new-password") html.write_text(" (%s)" % _("optional")) html.close_td() html.close_tr() @@ -9486,8 +9486,8 @@ class ModeEditUser(WatoMode): html.write_text(_("Not permitted to change the password. Change can not be enforced.")) else: html.i(_('The password can not be changed (It is locked by the user connector).')) - html.hidden_field('password', '') - html.hidden_field('password2', '') + html.hidden_field('_password', '') + html.hidden_field('_password2', '') html.close_td() html.close_tr() @@ -9498,7 +9498,7 @@ class ModeEditUser(WatoMode): _("Automation secret for machine accounts")) html.open_ul() - html.text_input("secret", self._user.get("automation_secret", ""), size=30, + html.text_input("_auth_secret", self._user.get("automation_secret", ""), size=30, id_="automation_secret") html.write_text(" ") html.open_b(style=["position: relative", "top: 4px;"])