Module: check_mk
Branch: master
Commit: 1932e4c5188469fdba9a770b6975c7908a905766
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=1932e4c5188469…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Tue Jun 30 09:48:27 2015 +0200
#2385 SEC Fixed possible reflected XSS on all GUI pages where users can produce unhandled
exceptions
On pages where an authenticated user can trigger an exception which is then displayed
to the user as "Internal error" dialog with details about the exception, it was
possible
for the user to inject javascript code which was executed in the context of the
authenticated
user.
This has been fixed that javascript/html code which is injected is being escaped
correctly.
---
.werks/2385 | 15 +++++++++++++++
ChangeLog | 1 +
web/htdocs/htmllib.py | 2 +-
web/htdocs/wato.py | 4 ++--
4 files changed, 19 insertions(+), 3 deletions(-)
diff --git a/.werks/2385 b/.werks/2385
new file mode 100644
index 0000000..cb43377
--- /dev/null
+++ b/.werks/2385
@@ -0,0 +1,15 @@
+Title: Fixed possible reflected XSS on all GUI pages where users can produce unhandled
exceptions
+Level: 1
+Component: multisite
+Class: security
+Compatible: compat
+State: unknown
+Version: 1.2.7i3
+Date: 1435650306
+
+On pages where an authenticated user can trigger an exception which is then displayed
+to the user as "Internal error" dialog with details about the exception, it was
possible
+for the user to inject javascript code which was executed in the context of the
authenticated
+user.
+
+This has been fixed that javascript/html code which is injected is being escaped
correctly.
diff --git a/ChangeLog b/ChangeLog
index 60ecfc5..4a79c70 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -24,6 +24,7 @@
* 2318 FIX: windows agent: no longer crashes when a cached plugin has several hundred
sections...
Multisite:
+ * 2385 SEC: Fixed possible reflected XSS on all GUI pages where users can produce
unhandled exceptions...
* 2314 FIX: Availability: fixed exception when grouping by host or service group
* 2361 FIX: Fix exception for missing key 'title' in certain cases of older
customized views
* 2379 FIX: Plugin-Output: Fixed handling of URLs within output of check_http...
diff --git a/web/htdocs/htmllib.py b/web/htdocs/htmllib.py
index 958bc6a..bb6dce3 100644
--- a/web/htdocs/htmllib.py
+++ b/web/htdocs/htmllib.py
@@ -1048,7 +1048,7 @@ class html:
self.begin_foldable_container("html", "exc_details", False,
_("Details"))
self.write('<div class=log_output>')
- self.write("<pre>%s</pre>" % details)
+ self.write("<pre>%s</pre>" % self.attrencode(details))
self.write('</div>')
self.end_foldable_container()
self.write("</div>")
diff --git a/web/htdocs/wato.py b/web/htdocs/wato.py
index 37e08ee..7565351 100644
--- a/web/htdocs/wato.py
+++ b/web/htdocs/wato.py
@@ -3793,7 +3793,7 @@ def mode_bulk_inventory(phase):
else:
msg = _("Error during inventory of %s<div
class=exc>%s</div>") % (", ".join(hostnames), e)
if config.debug:
- msg += "<br><pre>%s</pre><br>" %
format_exception().replace("\n", "<br>")
+ msg += "<br><pre>%s</pre><br>" %
html.attrencode(format_exception().replace("\n", "<br>"))
result += msg
html.write(result)
return ""
@@ -4230,7 +4230,7 @@ def mode_parentscan(phase):
else:
msg = _("Error during parent scan of %s: %s") % (hostname,
e)
if config.debug:
- msg += "<br><pre>%s</pre>" %
format_exception().replace("\n", "<br>")
+ msg += "<br><pre>%s</pre>" %
html.attrencode(format_exception().replace("\n", "<br>"))
result += msg + "\n<br>"
html.write(result)
return ""