Module: check_mk
Branch: master
Commit: bd963e56dc0e63694a33db5ef93e92a6cf2a72d3
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=bd963e56dc0e63…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Thu Sep 13 20:36:35 2018 +0200
6611 SEC Fixed multiple reflected XSS attacks using AJAX calls
Several AJAX calls with invalid content type setting could be used
to trigger XSS attacks.
Change-Id: Ibef23df27282cf5e72bd0d6d3da3d1a8b713ba67
---
.werks/6611 | 11 +++++++++++
cmk/gui/plugins/wato/utils/base_modes.py | 1 +
2 files changed, 12 insertions(+)
diff --git a/.werks/6611 b/.werks/6611
new file mode 100644
index 0000000..8fc405a
--- /dev/null
+++ b/.werks/6611
@@ -0,0 +1,11 @@
+Title: Fixed multiple reflected XSS attacks using AJAX calls
+Level: 1
+Component: wato
+Compatible: compat
+Edition: cre
+Version: 1.6.0i1
+Date: 1536863730
+Class: security
+
+Several AJAX calls with invalid content type setting could be used
+to trigger XSS attacks.
diff --git a/cmk/gui/plugins/wato/utils/base_modes.py
b/cmk/gui/plugins/wato/utils/base_modes.py
index 15ac7ca..5ba031c 100644
--- a/cmk/gui/plugins/wato/utils/base_modes.py
+++ b/cmk/gui/plugins/wato/utils/base_modes.py
@@ -109,6 +109,7 @@ class WatoWebApiMode(object):
def handle_page(self):
+ html.set_output_format("json")
try:
action_response = self.page()
response = { "result_code": 0, "result": action_response
}