Module: check_mk
Branch: master
Commit: 63eecd7c3f18a285049b9685b74c610b1e960141
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=63eecd7c3f18a2…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Wed Jan 24 14:58:24 2018 +0100
5654 SEC Fixed XSS on the site management page
When using the WATO configuration it was possible to create a site on
the distributed monitoring page which uses with javascript code in
it's alias. When this site was later displayed in the site tables, the
javascript code could be executed in the browsers context of the user
viewing the table.
The insertion of the javascript code is only possible for authenticated
users with the permission to configure Check_MK sites.
Change-Id: Iee73cf89af0544fda08f6aaf8884a5c9aab000c5
---
.werks/5654 | 18 ++++++++++++++++++
web/htdocs/wato.py | 24 ++++++++++++------------
2 files changed, 30 insertions(+), 12 deletions(-)
diff --git a/.werks/5654 b/.werks/5654
new file mode 100644
index 0000000..e20ab94
--- /dev/null
+++ b/.werks/5654
@@ -0,0 +1,18 @@
+Title: Fixed XSS on the site management page
+Level: 1
+Component: multisite
+Class: security
+Compatible: compat
+Edition: cre
+State: unknown
+Version: 1.5.0i3
+Date: 1516802216
+
+When using the WATO configuration it was possible to create a site on
+the distributed monitoring page which uses with javascript code in
+it's alias. When this site was later displayed in the site tables, the
+javascript code could be executed in the browsers context of the user
+viewing the table.
+
+The insertion of the javascript code is only possible for authenticated
+users with the permission to configure Check_MK sites.
diff --git a/web/htdocs/wato.py b/web/htdocs/wato.py
index 4982c96..cb28caf 100644
--- a/web/htdocs/wato.py
+++ b/web/htdocs/wato.py
@@ -5619,7 +5619,7 @@ class ModeActivateChanges(WatoMode, watolib.ActivateChanges):
if site_url:
html.icon_button(site_url, _("Open this site's local web user
interface"), "url", target="_blank")
- table.cell(_("Site"), site.get("alias", site_id))
+ table.text_cell(_("Site"), site.get("alias", site_id))
# Livestatus
table.cell(_("Status"), css="narrow nobr")
@@ -9865,8 +9865,8 @@ class ModeDistributedMonitoring(ModeSites):
def _page_basic_settings(self, site_id, site):
- table.cell(_("ID"), site_id)
- table.cell(_("Alias"), site.get("alias", ""))
+ table.text_cell(_("ID"), site_id)
+ table.text_cell(_("Alias"), site.get("alias", ""))
def _page_livestatus_settings(self, site_id, site):
@@ -9883,27 +9883,27 @@ class ModeDistributedMonitoring(ModeSites):
# Status host
if site.get("status_host"):
sh_site, sh_host = site["status_host"]
- table.cell(_("Status host"), "%s/%s" % (sh_site,
sh_host))
+ table.text_cell(_("Status host"), "%s/%s" % (sh_site,
sh_host))
else:
- table.cell(_("Status host"))
+ table.text_cell(_("Status host"))
# Disabled
if site.get("disabled", False) == True:
- table.cell(_("Disabled"), "<b>%s</b>" %
_("yes"))
+ table.text_cell(_("Disabled"), "<b>%s</b>" %
_("yes"))
else:
- table.cell(_("Disabled"), _("no"))
+ table.text_cell(_("Disabled"), _("no"))
# Timeout
if "timeout" in site:
- table.cell(_("Timeout"), _("%d sec") %
int(site["timeout"]), css="number")
+ table.text_cell(_("Timeout"), _("%d sec") %
int(site["timeout"]), css="number")
else:
- table.cell(_("Timeout"), "")
+ table.text_cell(_("Timeout"), "")
# Persist
if site.get("persist", False):
- table.cell(_("Pers."), "<b>%s</b>" %
_("yes"))
+ table.text_cell(_("Pers."), "<b>%s</b>" %
_("yes"))
else:
- table.cell(_("Pers."), _("no"))
+ table.text_cell(_("Pers."), _("no"))
def _page_replication_configuration(self, site_id, site):
@@ -9916,7 +9916,7 @@ class ModeDistributedMonitoring(ModeSites):
repl += ", " + _("MKPs")
else:
repl = ""
- table.cell(_("Replication"), repl)
+ table.text_cell(_("Replication"), repl)
# Login-Button for Replication
table.cell(_("Login"))