Module: check_mk
Branch: master
Commit: 2b5ae1e98aa8cb4571d37c5d3150ce6f23161850
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=2b5ae1e98aa8cb…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Tue Jun 30 10:19:36 2015 +0200
#2387 SEC Fixed XSS problem on all pages using confirm dialogs outputting user provided
parameters
On some pages, like for example the host group management page of WATO, it was possible
to inject user provided HTML/Javascript code into the confirm messages. An attacker could
use this to let an authenticated user open a prepared URL for privilege escalation.
---
.werks/2387 | 12 ++++++++++++
ChangeLog | 1 +
web/htdocs/htmllib.py | 19 ++++++++++---------
3 files changed, 23 insertions(+), 9 deletions(-)
diff --git a/.werks/2387 b/.werks/2387
new file mode 100644
index 0000000..834c9a7
--- /dev/null
+++ b/.werks/2387
@@ -0,0 +1,12 @@
+Title: Fixed XSS problem on all pages using confirm dialogs outputting user provided
parameters
+Level: 1
+Component: multisite
+Class: security
+Compatible: compat
+State: unknown
+Version: 1.2.7i3
+Date: 1435652277
+
+On some pages, like for example the host group management page of WATO, it was possible
+to inject user provided HTML/Javascript code into the confirm messages. An attacker
could
+use this to let an authenticated user open a prepared URL for privilege escalation.
diff --git a/ChangeLog b/ChangeLog
index ac9b259..4d53de6 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -25,6 +25,7 @@
Multisite:
* 2385 SEC: Fixed possible reflected XSS on all GUI pages where users can produce
unhandled exceptions...
+ * 2387 SEC: Fixed XSS problem on all pages using confirm dialogs outputting user
provided parameters...
* 2314 FIX: Availability: fixed exception when grouping by host or service group
* 2361 FIX: Fix exception for missing key 'title' in certain cases of older
customized views
* 2379 FIX: Plugin-Output: Fixed handling of URLs within output of check_http...
diff --git a/web/htdocs/htmllib.py b/web/htdocs/htmllib.py
index bb6dce3..d6ffbef 100644
--- a/web/htdocs/htmllib.py
+++ b/web/htdocs/htmllib.py
@@ -1071,13 +1071,7 @@ class html:
cls = 'error'
prefix = _('ERROR')
- # Only strip off some tags. We allow some simple tags like
- # <b>, <tt>, <i> to be part of the exception message. The tags
- # are escaped first and then fixed again after attrencode.
- msg = self.attrencode(obj)
- msg = re.sub(r'<(/?)(b|tt|i|br(?:
/)?|pre|a|sup|p|li|ul|ol)>', r'<\1\2>', msg)
- # Also repair link definitions
- msg = re.sub(r'<a href="(.*)">',
r'<a href="\1">', msg)
+ msg = self.permissive_attrencode(obj)
if self.output_format == "html":
if self.mobile:
@@ -1308,7 +1302,7 @@ class html:
if not self.has_var("_do_confirm"):
if self.mobile:
self.write('<center>')
- self.write("<div class=really>%s" % msg)
+ self.write("<div class=really>%s" %
self.permissive_attrencode(msg))
self.begin_form("confirm", method=method, action=action,
add_transid=add_transid)
self.hidden_fields(add_action_vars = True)
self.button("_do_confirm", _("Yes!"),
"really")
@@ -1370,7 +1364,14 @@ class html:
def disable_keybindings(self):
self.keybindings_enabled = False
- # From here: Former not class functions
+ # Only strip off some tags. We allow some simple tags like
+ # <b>, <tt>, <i> to be part of the string. This is useful
+ # for messages where we still want to have formating options.
+ def permissive_attrencode(self, obj):
+ msg = self.attrencode(obj)
+ msg = re.sub(r'<(/?)(b|tt|i|br(?:
/)?|pre|a|sup|p|li|ul|ol)>', r'<\1\2>', msg)
+ # Also repair link definitions
+ return re.sub(r'<a href="(.*)">',
r'<a href="\1">', msg)
# Encode HTML attributes: replace " with ", also replace
# < and >. This code is slow. Works on str and unicode without