Module: check_mk
Branch: master
Commit: f1eaf035e74ce030280f5c8d927e87d5880eb203
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=f1eaf035e74ce0…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Mon Sep 17 14:03:31 2018 +0200
6620 SEC Fixed missing CSRF protection for site status AJAX calls
The AJAX calls used by the site status snapin were not correctly using
CSRF tokens to protect logged in users against malicious links that could
trigger actions.
Change-Id: Ib4ff568b1b07961d7e265ddc80443b3f74a7d4c9
---
.werks/6620 | 12 ++++++++++++
cmk/gui/plugins/sidebar/site_status.py | 8 +++++++-
web/htdocs/js/sidebar.js | 4 ++--
3 files changed, 21 insertions(+), 3 deletions(-)
diff --git a/.werks/6620 b/.werks/6620
new file mode 100644
index 0000000..23dba63
--- /dev/null
+++ b/.werks/6620
@@ -0,0 +1,12 @@
+Title: Fixed missing CSRF protection for site status AJAX calls
+Level: 1
+Component: multisite
+Compatible: compat
+Edition: cre
+Version: 1.6.0i1
+Date: 1537185769
+Class: security
+
+The AJAX calls used by the site status snapin were not correctly using
+CSRF tokens to protect logged in users against malicious links that could
+trigger actions.
diff --git a/cmk/gui/plugins/sidebar/site_status.py
b/cmk/gui/plugins/sidebar/site_status.py
index 5b69239..5f1a6a9 100644
--- a/cmk/gui/plugins/sidebar/site_status.py
+++ b/cmk/gui/plugins/sidebar/site_status.py
@@ -92,9 +92,12 @@ class SiteStatus(SidebarSnapin):
if switch == "missing":
html.status_label(content=state, status=state, help=_("Site is
missing"))
else:
+ url = html.makeactionuri_contextless([
+ ("_site_switch", "%s:%s" % (sitename, switch)),
+ ], filename="switch_site.py")
html.status_label_button(content=state, status=state,
help=_("enable this site") if state == "disabled"
else _("disable this site"),
- onclick="switch_site('_site_switch=%s:%s')" %
(sitename, switch))
+ onclick="switch_site(%s)" % (json.dumps(url)))
html.close_tr()
html.close_table()
@@ -148,6 +151,9 @@ table.sitestate td.state {
if not config.user.may("sidesnap.sitestatus"):
return
+ if not html.check_transaction():
+ return
+
switch_var = html.var("_site_switch")
if switch_var:
for info in switch_var.split(","):
diff --git a/web/htdocs/js/sidebar.js b/web/htdocs/js/sidebar.js
index 47b2b00..8cdfca9 100644
--- a/web/htdocs/js/sidebar.js
+++ b/web/htdocs/js/sidebar.js
@@ -680,8 +680,8 @@ function switch_customer(customer_id, switch_state) {
reload_main_plus_sidebar, null);
}
-function switch_site(switchvar) {
- get_url("switch_site.py?" + switchvar, reload_main_plus_sidebar, null);
+function switch_site(url) {
+ get_url(url, reload_main_plus_sidebar, null);
}
var g_seconds_to_update = null;