Module: check_mk
Branch: master
Commit: 5d1f0af0d26a40eb4243caaa390e11b6475590c8
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=5d1f0af0d26a40…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Thu Sep 13 20:25:12 2018 +0200
6609 SEC Fixed possible XSS on SNMP MIB upload page
Using MIB files with specific names it was possible to trigger an XSS
on the MIB file administration page which only affected admin users.
Change-Id: I04b606cdb25eeeda17afe13ca3c05a354570435c
---
.werks/6609 | 11 +++++++++++
cmk/gui/wato/mkeventd.py | 8 ++++----
2 files changed, 15 insertions(+), 4 deletions(-)
diff --git a/.werks/6609 b/.werks/6609
new file mode 100644
index 0000000..f507293
--- /dev/null
+++ b/.werks/6609
@@ -0,0 +1,11 @@
+Title: Fixed possible XSS on SNMP MIB upload page
+Level: 1
+Component: wato
+Compatible: compat
+Edition: cre
+Version: 1.6.0i1
+Date: 1536863066
+Class: security
+
+Using MIB files with specific names it was possible to trigger an XSS
+on the MIB file administration page which only affected admin users.
diff --git a/cmk/gui/wato/mkeventd.py b/cmk/gui/wato/mkeventd.py
index 84ff85d..c53de79 100644
--- a/cmk/gui/wato/mkeventd.py
+++ b/cmk/gui/wato/mkeventd.py
@@ -2543,10 +2543,10 @@ class ModeEventConsoleMIBs(EventConsoleMode):
delete_url = make_action_link([("mode",
"mkeventd_mibs"), ("_delete", filename)])
html.icon_button(delete_url, _("Delete this MIB"),
"delete")
- table.cell(_("Filename"), filename)
- table.cell(_("MIB"), mib.get("name", ""))
- table.cell(_("Organization"), mib.get("organization",
""))
- table.cell(_("Size"), cmk.render.bytes(mib.get("size",
0)), css="number")
+ table.text_cell(_("Filename"), filename)
+ table.text_cell(_("MIB"), mib.get("name", ""))
+ table.text_cell(_("Organization"),
mib.get("organization", ""))
+ table.text_cell(_("Size"),
cmk.render.bytes(mib.get("size", 0)), css="number")
table.end()