Module: check_mk
Branch: master
Commit: 78c0c2779393a822f62924c662b8022572a1be9c
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=78c0c2779393a8…
Author: Mathias Kettner <mk(a)mathias-kettner.de>
Date: Tue May 27 11:59:11 2014 +0200
FIX Fix security issue in code of row selections (checkboxes) (CVSS 4.9
AV:N/AC:M/Au:S/C:N/I:P/A:P)
The fixed weakness was:
The check_mk application does allow an attacker to write check_mk config files
(.mk files) on arbitrary locations on the server filesystem.
---
.werks/983 | 12 ++++++++++++
ChangeLog | 1 +
web/htdocs/weblib.py | 9 ++++++++-
3 files changed, 21 insertions(+), 1 deletion(-)
diff --git a/.werks/983 b/.werks/983
new file mode 100644
index 0000000..ae7e8f7
--- /dev/null
+++ b/.werks/983
@@ -0,0 +1,12 @@
+Title: Fix security issue in code of row selections (checkboxes) (CVSS 4.9
AV:N/AC:M/Au:S/C:N/I:P/A:P)
+Level: 2
+Component: multisite
+Class: security
+State: unknown
+Version: 1.2.5i4
+Date: 1401184643
+
+The fixed weakness was:
+
+The check_mk application does allow an attacker to write check_mk config files
+(.mk files) on arbitrary locations on the server filesystem.
diff --git a/ChangeLog b/ChangeLog
index 7b578f3..57219a8 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -23,6 +23,7 @@
Multisite:
* 0982 SEC: Fix two XSS weaknesses according to CVSS 8.5
AV:N/AC:M/Au:S/C:C/I:C/A:C...
+ * 0983 SEC: Fix security issue in code of row selections (checkboxes) (CVSS 4.9
AV:N/AC:M/Au:S/C:N/I:P/A:P)...
* 0934 FIX: Logwatch messages with class unknown ( 'u' ) now displayed as
WARN...
* 0166 FIX: mobile gui: Fixed colors of command list...
* 0820 FIX: Fixed wrong NagVis links in "custom links" snapin
diff --git a/web/htdocs/weblib.py b/web/htdocs/weblib.py
index f3c6022..f00ccef 100644
--- a/web/htdocs/weblib.py
+++ b/web/htdocs/weblib.py
@@ -26,6 +26,7 @@
import config
import lib
+import re
def ajax_tree_openclose():
html.load_tree_states()
@@ -78,7 +79,13 @@ def selection_id():
if not html.has_var('selection'):
sel_id = lib.gen_id()
html.add_var('selection', sel_id)
- return html.var('selection')
+ else:
+ sel_id = html.var('selection')
+ # Avoid illegal file access by introducing .. or /
+ if not re.match("^[-0-9a-zA-Z]+$", sel_id):
+ return lib.gen_id()
+ else:
+ return sel_id
def get_rowselection(ident):
vo = config.load_user_file("rowselection/%s" % selection_id(), {})