[checkmk-commits] Check_MK Git: check_mk: FIX Fix security issue in code of row selections ( checkboxes) (CVSS 4.9 AV:N/AC:M/Au:S/C:N/I:P/A:P)

Module: check_mk Branch: master Commit: 78c0c2779393a822f62924c662b8022572a1be9c URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=78c0c2779393a8… Author: Mathias Kettner <mk(a)mathias-kettner.de> Date: Tue May 27 11:59:11 2014 +0200 FIX Fix security issue in code of row selections (checkboxes) (CVSS 4.9 AV:N/AC:M/Au:S/C:N/I:P/A:P) The fixed weakness was: The check_mk application does allow an attacker to write check_mk config files (.mk files) on arbitrary locations on the server filesystem. --- .werks/983 | 12 ++++++++++++ ChangeLog | 1 + web/htdocs/weblib.py | 9 ++++++++- 3 files changed, 21 insertions(+), 1 deletion(-) diff --git a/.werks/983 b/.werks/983 new file mode 100644 index 0000000..ae7e8f7 --- /dev/null +++ b/.werks/983 @@ -0,0 +1,12 @@ +Title: Fix security issue in code of row selections (checkboxes) (CVSS 4.9 AV:N/AC:M/Au:S/C:N/I:P/A:P) +Level: 2 +Component: multisite +Class: security +State: unknown +Version: 1.2.5i4 +Date: 1401184643 + +The fixed weakness was: + +The check_mk application does allow an attacker to write check_mk config files +(.mk files) on arbitrary locations on the server filesystem. diff --git a/ChangeLog b/ChangeLog index 7b578f3..57219a8 100644 --- a/ChangeLog +++ b/ChangeLog @@ -23,6 +23,7 @@ Multisite: * 0982 SEC: Fix two XSS weaknesses according to CVSS 8.5 AV:N/AC:M/Au:S/C:C/I:C/A:C... + * 0983 SEC: Fix security issue in code of row selections (checkboxes) (CVSS 4.9 AV:N/AC:M/Au:S/C:N/I:P/A:P)... * 0934 FIX: Logwatch messages with class unknown ( 'u' ) now displayed as WARN... * 0166 FIX: mobile gui: Fixed colors of command list... * 0820 FIX: Fixed wrong NagVis links in "custom links" snapin diff --git a/web/htdocs/weblib.py b/web/htdocs/weblib.py index f3c6022..f00ccef 100644 --- a/web/htdocs/weblib.py +++ b/web/htdocs/weblib.py @@ -26,6 +26,7 @@ import config import lib +import re def ajax_tree_openclose(): html.load_tree_states() @@ -78,7 +79,13 @@ def selection_id(): if not html.has_var('selection'): sel_id = lib.gen_id() html.add_var('selection', sel_id) - return html.var('selection') + else: + sel_id = html.var('selection') + # Avoid illegal file access by introducing .. or / + if not re.match("^[-0-9a-zA-Z]+$", sel_id): + return lib.gen_id() + else: + return sel_id def get_rowselection(ident): vo = config.load_user_file("rowselection/%s" % selection_id(), {})