Module: check_mk
Branch: master
Commit: a328b1099f8cca6ef7c33e98fabb061b1d2cfb2b
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=a328b1099f8cca…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Tue Jun 30 09:32:02 2015 +0200
#2384 SEC Prevent user passwords from being visible in webserver log on user creation
When a user is created using WATO, the set values of the form fields were logged
directly into the webserver access log, because the form of this page used the
GET request method. Users which have access to the log files would be able to
see the initial passwords. If you use an older version of Check_MK it is a good
idea to set the "Change password at next login or access" to force the user
to change his password on first login.
We changed this form to perform a POST request now to prevent these information
being written to the logs.
---
.werks/2384 | 18 ++++++++++++++++++
ChangeLog | 1 +
web/htdocs/wato.py | 4 ++--
3 files changed, 21 insertions(+), 2 deletions(-)
diff --git a/.werks/2384 b/.werks/2384
new file mode 100644
index 0000000..4ca6dbe
--- /dev/null
+++ b/.werks/2384
@@ -0,0 +1,18 @@
+Title: Prevent user passwords from being visible in webserver log on user creation
+Level: 1
+Component: wato
+Class: security
+Compatible: compat
+State: unknown
+Version: 1.2.7i3
+Date: 1435649205
+
+When a user is created using WATO, the set values of the form fields were logged
+directly into the webserver access log, because the form of this page used the
+GET request method. Users which have access to the log files would be able to
+see the initial passwords. If you use an older version of Check_MK it is a good
+idea to set the "Change password at next login or access" to force the user
+to change his password on first login.
+
+We changed this form to perform a POST request now to prevent these information
+being written to the logs.
diff --git a/ChangeLog b/ChangeLog
index 62e420b..60ecfc5 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -31,6 +31,7 @@
WATO:
* 2365 Removed old deprecated notification global options for plain emails...
+ * 2384 SEC: Prevent user passwords from being visible in webserver log on user
creation...
* 2344 FIX: Improved validation of selected rules when editing BI aggregations...
* 2346 FIX: Notifications: Fixed garbled page when switching on/off
bulks/backlog/user rules
diff --git a/web/htdocs/wato.py b/web/htdocs/wato.py
index ac18fe1..37e08ee 100644
--- a/web/htdocs/wato.py
+++ b/web/htdocs/wato.py
@@ -11924,7 +11924,7 @@ def mode_users(phase):
clone_url = make_link([("mode", "edit_user"),
("clone", id)])
html.icon_button(clone_url, _("Create a copy of this user"),
"clone")
- delete_url = html.makeactionuri([("_delete", id)])
+ delete_url = make_action_link([("mode", "users"),
("_delete", id)])
html.icon_button(delete_url, _("Delete"), "delete")
notifications_url = make_link([("mode",
"user_notifications"), ("user", id)])
@@ -12251,7 +12251,7 @@ def mode_edit_user(phase):
# Let exceptions from loading notification scripts happen now
load_notification_scripts()
- html.begin_form("user")
+ html.begin_form("user", method="POST")
forms.header(_("Identity"))
# ID