[checkmk-commits] 6609 SEC Fixed possible XSS on SNMP MIB upload page

Module: check_mk Branch: master Commit: 5d1f0af0d26a40eb4243caaa390e11b6475590c8 URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=5d1f0af0d26a40… Author: Lars Michelsen <lm(a)mathias-kettner.de> Date: Thu Sep 13 20:25:12 2018 +0200 6609 SEC Fixed possible XSS on SNMP MIB upload page Using MIB files with specific names it was possible to trigger an XSS on the MIB file administration page which only affected admin users. Change-Id: I04b606cdb25eeeda17afe13ca3c05a354570435c --- .werks/6609 | 11 +++++++++++ cmk/gui/wato/mkeventd.py | 8 ++++---- 2 files changed, 15 insertions(+), 4 deletions(-) diff --git a/.werks/6609 b/.werks/6609 new file mode 100644 index 0000000..f507293 --- /dev/null +++ b/.werks/6609 @@ -0,0 +1,11 @@ +Title: Fixed possible XSS on SNMP MIB upload page +Level: 1 +Component: wato +Compatible: compat +Edition: cre +Version: 1.6.0i1 +Date: 1536863066 +Class: security + +Using MIB files with specific names it was possible to trigger an XSS +on the MIB file administration page which only affected admin users. diff --git a/cmk/gui/wato/mkeventd.py b/cmk/gui/wato/mkeventd.py index 84ff85d..c53de79 100644 --- a/cmk/gui/wato/mkeventd.py +++ b/cmk/gui/wato/mkeventd.py @@ -2543,10 +2543,10 @@ class ModeEventConsoleMIBs(EventConsoleMode): delete_url = make_action_link([("mode", "mkeventd_mibs"), ("_delete", filename)]) html.icon_button(delete_url, _("Delete this MIB"), "delete") - table.cell(_("Filename"), filename) - table.cell(_("MIB"), mib.get("name", "")) - table.cell(_("Organization"), mib.get("organization", "")) - table.cell(_("Size"), cmk.render.bytes(mib.get("size", 0)), css="number") + table.text_cell(_("Filename"), filename) + table.text_cell(_("MIB"), mib.get("name", "")) + table.text_cell(_("Organization"), mib.get("organization", "")) + table.text_cell(_("Size"), cmk.render.bytes(mib.get("size", 0)), css="number") table.end()