Module: check_mk
Branch: master
Commit: 14a5b79c6f549502244a60146ed6831dc3473f2a
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=14a5b79c6f5495…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Wed Jun 14 19:57:33 2017 +0200
4757 SEC Fixed possible reflected XSS in webapi.py
In the Check_MK 1.4 branch URLs like this could be used for a
reflected XSS attack:
<tt>http://<test
host>/<site>/check_mk/webapi.py?_username=<script>alert("XSS")</script>&_secret=AnythingHere
The error message was interpreted as HTML while it should be a
plain text error message. This has been fixed now.
Change-Id: Id4f61d6739d1846666031faad00505b22ba45d1f
---
.werks/4757 | 17 +++++++++++++++++
web/htdocs/index.py | 6 ++++--
2 files changed, 21 insertions(+), 2 deletions(-)
diff --git a/.werks/4757 b/.werks/4757
new file mode 100644
index 0000000..a9e561b
--- /dev/null
+++ b/.werks/4757
@@ -0,0 +1,17 @@
+Title: Fixed possible reflected XSS in webapi.py
+Level: 2
+Component: multisite
+Class: security
+Compatible: compat
+Edition: cre
+State: unknown
+Version: 1.5.0i1
+Date: 1497462847
+
+In the Check_MK 1.4 branch URLs like this could be used for a
+reflected XSS attack:
+
+<tt>http://<test
host>/<site>/check_mk/webapi.py?_username=<script>alert("XSS")</script>&_secret=AnythingHere
+
+The error message was interpreted as HTML while it should be a
+plain text error message. This has been fixed now.
diff --git a/web/htdocs/index.py b/web/htdocs/index.py
index 2c84a6a..a0f29dd 100644
--- a/web/htdocs/index.py
+++ b/web/htdocs/index.py
@@ -71,7 +71,7 @@ def handler(mod_python_req, fields = None, is_profiling = False):
try:
handler()
except Exception, e:
- html.write("%s" % e)
+ html.write_text("%s" % e)
if config.debug:
html.write_text(traceback.format_exc())
raise FinalizeRequest()
@@ -117,6 +117,7 @@ def handler(mod_python_req, fields = None, is_profiling = False):
plain_title = e.plain_title()
if plain_error():
+ html.set_output_format("text")
html.write("%s: %s\n" % (plain_title, e))
elif not fail_silently():
html.header(title)
@@ -142,7 +143,8 @@ def handler(mod_python_req, fields = None, is_profiling = False):
html.unplug_all()
log_exception()
if plain_error():
- html.write_text(_("Internal error") + ": %s\n" % e)
+ html.set_output_format("text")
+ html.write(_("Internal error") + ": %s\n" % e)
elif not fail_silently():
modules.get_handler("gui_crash")()
response_code = apache.OK