[checkmk-commits] 5654 SEC Fixed XSS on the site management page

Module: check_mk Branch: master Commit: 63eecd7c3f18a285049b9685b74c610b1e960141 URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=63eecd7c3f18a2… Author: Lars Michelsen &lt;lm(a)mathias-kettner.de&gt; Date: Wed Jan 24 14:58:24 2018 +0100 5654 SEC Fixed XSS on the site management page When using the WATO configuration it was possible to create a site on the distributed monitoring page which uses with javascript code in it's alias. When this site was later displayed in the site tables, the javascript code could be executed in the browsers context of the user viewing the table. The insertion of the javascript code is only possible for authenticated users with the permission to configure Check_MK sites. Change-Id: Iee73cf89af0544fda08f6aaf8884a5c9aab000c5 --- .werks/5654 | 18 ++++++++++++++++++ web/htdocs/wato.py | 24 ++++++++++++------------ 2 files changed, 30 insertions(+), 12 deletions(-) diff --git a/.werks/5654 b/.werks/5654 new file mode 100644 index 0000000..e20ab94 --- /dev/null +++ b/.werks/5654 @@ -0,0 +1,18 @@ +Title: Fixed XSS on the site management page +Level: 1 +Component: multisite +Class: security +Compatible: compat +Edition: cre +State: unknown +Version: 1.5.0i3 +Date: 1516802216 + +When using the WATO configuration it was possible to create a site on +the distributed monitoring page which uses with javascript code in +it's alias. When this site was later displayed in the site tables, the +javascript code could be executed in the browsers context of the user +viewing the table. + +The insertion of the javascript code is only possible for authenticated +users with the permission to configure Check_MK sites. diff --git a/web/htdocs/wato.py b/web/htdocs/wato.py index 4982c96..cb28caf 100644 --- a/web/htdocs/wato.py +++ b/web/htdocs/wato.py @@ -5619,7 +5619,7 @@ class ModeActivateChanges(WatoMode, watolib.ActivateChanges): if site_url: html.icon_button(site_url, _("Open this site's local web user interface"), "url", target="_blank") - table.cell(_("Site"), site.get("alias", site_id)) + table.text_cell(_("Site"), site.get("alias", site_id)) # Livestatus table.cell(_("Status"), css="narrow nobr") @@ -9865,8 +9865,8 @@ class ModeDistributedMonitoring(ModeSites): def _page_basic_settings(self, site_id, site): - table.cell(_("ID"), site_id) - table.cell(_("Alias"), site.get("alias", "")) + table.text_cell(_("ID"), site_id) + table.text_cell(_("Alias"), site.get("alias", "")) def _page_livestatus_settings(self, site_id, site): @@ -9883,27 +9883,27 @@ class ModeDistributedMonitoring(ModeSites): # Status host if site.get("status_host"): sh_site, sh_host = site["status_host"] - table.cell(_("Status host"), "%s/%s" % (sh_site, sh_host)) + table.text_cell(_("Status host"), "%s/%s" % (sh_site, sh_host)) else: - table.cell(_("Status host")) + table.text_cell(_("Status host")) # Disabled if site.get("disabled", False) == True: - table.cell(_("Disabled"), "<b>%s</b>" % _("yes")) + table.text_cell(_("Disabled"), "<b>%s</b>" % _("yes")) else: - table.cell(_("Disabled"), _("no")) + table.text_cell(_("Disabled"), _("no")) # Timeout if "timeout" in site: - table.cell(_("Timeout"), _("%d sec") % int(site["timeout"]), css="number") + table.text_cell(_("Timeout"), _("%d sec") % int(site["timeout"]), css="number") else: - table.cell(_("Timeout"), "") + table.text_cell(_("Timeout"), "") # Persist if site.get("persist", False): - table.cell(_("Pers."), "<b>%s</b>" % _("yes")) + table.text_cell(_("Pers."), "<b>%s</b>" % _("yes")) else: - table.cell(_("Pers."), _("no")) + table.text_cell(_("Pers."), _("no")) def _page_replication_configuration(self, site_id, site): @@ -9916,7 +9916,7 @@ class ModeDistributedMonitoring(ModeSites): repl += ", " + _("MKPs") else: repl = "" - table.cell(_("Replication"), repl) + table.text_cell(_("Replication"), repl) # Login-Button for Replication table.cell(_("Login"))