Module: check_mk
Branch: master
Commit: a2677e45e0883a8b91df64dc1975a4668e3e43e7
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=a2677e45e0883a…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Tue Jun 30 10:33:08 2015 +0200
#2388 SEC Fixed reflected XSS on the index page using the start_url parameter
---
.werks/2388 | 9 +++++++++
ChangeLog | 1 +
web/htdocs/main.py | 11 ++++++++---
3 files changed, 18 insertions(+), 3 deletions(-)
diff --git a/.werks/2388 b/.werks/2388
new file mode 100644
index 0000000..1df911a
--- /dev/null
+++ b/.werks/2388
@@ -0,0 +1,9 @@
+Title: Fixed reflected XSS on the index page using the start_url parameter
+Level: 1
+Component: multisite
+Class: security
+Compatible: compat
+State: unknown
+Version: 1.2.7i3
+Date: 1435653074
+
diff --git a/ChangeLog b/ChangeLog
index 06d8cda..ec8b852 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -26,6 +26,7 @@
Multisite:
* 2385 SEC: Fixed possible reflected XSS on all GUI pages where users can produce
unhandled exceptions...
* 2387 SEC: Fixed XSS problem on all pages using confirm dialogs outputting user
provided parameters...
+ * 2388 SEC: Fixed reflected XSS on the index page using the start_url parameter
* 2314 FIX: Availability: fixed exception when grouping by host or service group
* 2361 FIX: Fix exception for missing key 'title' in certain cases of older
customized views
* 2379 FIX: Plugin-Output: Fixed handling of URLs within output of check_http...
diff --git a/web/htdocs/main.py b/web/htdocs/main.py
index 6c9d161..a89ad03 100644
--- a/web/htdocs/main.py
+++ b/web/htdocs/main.py
@@ -28,12 +28,17 @@ import defaults, config
def page_index():
default_start_url = config.user.get("start_url") or config.start_url
- start_url = html.var("start_url", default_start_url)
+ start_url = html.var("start_url", default_start_url).strip()
+
# Prevent redirecting to absolute URL which could be used to redirect
- # users to compromised pages
+ # users to compromised pages.
if '://' in start_url:
start_url = default_start_url
+ # Also prevent using of "javascript:" URLs which could used to inject code
+ if start_url.startswith('javascript:'):
+ start_url = default_start_url
+
# Do not cache the index page -> caching problems when page is accessed
# while not logged in
#html.req.headers_out.add("Cache-Control", "max-age=7200,
public");
@@ -55,7 +60,7 @@ def page_index():
<frame src="%s" name="main" noresize>
</frameset>
</html>
-""" % (heading, start_url))
+""" % (html.attrencode(heading), html.attrencode(start_url)))
# This function does almost nothing. It just makes sure that
# a livestatus-connection is built up, since connect_to_livestatus()