[checkmk-commits] Check_MK Git: check_mk: #2388 SEC Fixed reflected XSS on the index page using the start_url parameter

Module: check_mk Branch: master Commit: a2677e45e0883a8b91df64dc1975a4668e3e43e7 URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=a2677e45e0883a… Author: Lars Michelsen &lt;lm(a)mathias-kettner.de&gt; Date: Tue Jun 30 10:33:08 2015 +0200 #2388 SEC Fixed reflected XSS on the index page using the start_url parameter --- .werks/2388 | 9 +++++++++ ChangeLog | 1 + web/htdocs/main.py | 11 ++++++++--- 3 files changed, 18 insertions(+), 3 deletions(-) diff --git a/.werks/2388 b/.werks/2388 new file mode 100644 index 0000000..1df911a --- /dev/null +++ b/.werks/2388 @@ -0,0 +1,9 @@ +Title: Fixed reflected XSS on the index page using the start_url parameter +Level: 1 +Component: multisite +Class: security +Compatible: compat +State: unknown +Version: 1.2.7i3 +Date: 1435653074 + diff --git a/ChangeLog b/ChangeLog index 06d8cda..ec8b852 100644 --- a/ChangeLog +++ b/ChangeLog @@ -26,6 +26,7 @@ Multisite: * 2385 SEC: Fixed possible reflected XSS on all GUI pages where users can produce unhandled exceptions... * 2387 SEC: Fixed XSS problem on all pages using confirm dialogs outputting user provided parameters... + * 2388 SEC: Fixed reflected XSS on the index page using the start_url parameter * 2314 FIX: Availability: fixed exception when grouping by host or service group * 2361 FIX: Fix exception for missing key 'title' in certain cases of older customized views * 2379 FIX: Plugin-Output: Fixed handling of URLs within output of check_http... diff --git a/web/htdocs/main.py b/web/htdocs/main.py index 6c9d161..a89ad03 100644 --- a/web/htdocs/main.py +++ b/web/htdocs/main.py @@ -28,12 +28,17 @@ import defaults, config def page_index(): default_start_url = config.user.get("start_url") or config.start_url - start_url = html.var("start_url", default_start_url) + start_url = html.var("start_url", default_start_url).strip() + # Prevent redirecting to absolute URL which could be used to redirect - # users to compromised pages + # users to compromised pages. if '://' in start_url: start_url = default_start_url + # Also prevent using of "javascript:" URLs which could used to inject code + if start_url.startswith('javascript:'): + start_url = default_start_url + # Do not cache the index page -> caching problems when page is accessed # while not logged in #html.req.headers_out.add("Cache-Control", "max-age=7200, public"); @@ -55,7 +60,7 @@ def page_index(): <frame src="%s" name="main" noresize> </frameset> </html> -""" % (heading, start_url)) +""" % (html.attrencode(heading), html.attrencode(start_url))) # This function does almost nothing. It just makes sure that # a livestatus-connection is built up, since connect_to_livestatus()