Branch: refs/heads/1.5.0
Home:
https://github.com/tribe29/checkmk
Commit: bcb22313b4c06cf8854c59f5a3220e3318a858ec
https://github.com/tribe29/checkmk/commit/bcb22313b4c06cf8854c59f5a3220e331…
Author: Lars Michelsen <lm(a)tribe29.com>
Date: 2020-08-17 (Mon, 17 Aug 2020)
Changed paths:
A .werks/11263
M cmk_base/data_sources/abstract.py
Log Message:
-----------
11263 SEC Fix piggyback path traversal
In previous versions it was possible to create files in the querying
Checkmk site by modifying or extending an agent on a monitored system.
So an attacker who gained rights on a monitored system to extend the
agent could create and modify files in the monitoring Checkmk site with
certain modifications of the agent. The creation or modification of
files in the Checkmk site was done with rights of the Checkmk site user.
This problem is now solved by a better validation of hostnames of
piggybacked hosts. With this change only these characters are allowed in
Piggybacked hostnames: <tt>0-9a-zA-Z_.-</tt>. These are exactly the same
characters that Checkmk normally allows when creating hostnames. A
special feature of Piggyback hostnames is that all illegal hostnames are
replaced by "_".
This change means that Piggyback hosts created with now invalid
characters will have to be created differently after this change so that
they can continue to be monitored.
Change-Id: I36e37d8eb15ccb0b92792eac84eefc56efd52d96