Module: check_mk
Branch: master
Commit: b35e2492f520f2f770ec927fc2b153e0549d3533
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=b35e2492f520f2…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Wed Dec 3 09:11:34 2014 +0100
#1587 SEC Prevent logging of passwords during initial distributed site login
When creating a distributed monitoring setup using WATO, after configuring
a remote site in the central site, you need to login into the remote site
as admin user once to establish a trust between both sites.
This login was made using a HTTP get request, which is logged in the access
logs of the affected webservers (local system apache, local site apache,
remote system apache, remote site apache). All these log entries contain the
whole GET query string, which also includes the inserted username and password.
This has been fixed by replacing the GET request with a POST request where
the request vars are not logged in the access log.
---
.werks/1587 | 19 +++++++++++++++++++
ChangeLog | 1 +
web/htdocs/wato.py | 17 +++++++++++------
3 files changed, 31 insertions(+), 6 deletions(-)
diff --git a/.werks/1587 b/.werks/1587
new file mode 100644
index 0000000..7e5fcdd
--- /dev/null
+++ b/.werks/1587
@@ -0,0 +1,19 @@
+Title: Prevent logging of passwords during initial distributed site login
+Level: 1
+Component: wato
+Compatible: compat
+Version: 1.2.5i7
+Date: 1417594096
+Class: security
+
+When creating a distributed monitoring setup using WATO, after configuring
+a remote site in the central site, you need to login into the remote site
+as admin user once to establish a trust between both sites.
+
+This login was made using a HTTP get request, which is logged in the access
+logs of the affected webservers (local system apache, local site apache,
+remote system apache, remote site apache). All these log entries contain the
+whole GET query string, which also includes the inserted username and password.
+
+This has been fixed by replacing the GET request with a POST request where
+the request vars are not logged in the access log.
diff --git a/ChangeLog b/ChangeLog
index b55f0b1..1d16e40 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -104,6 +104,7 @@
* 1495 Most WATO tables can now be sorted (where useful)...
* 1504 WATO makes host tag and group information available for NagVis...
* 1535 Disabled services on service discovery page now link to the ruleset
+ * 1587 SEC: Prevent logging of passwords during initial distributed site login...
* 1165 FIX: Fixed exception in service discovery of logwatch event console forwarding
checks...
* 1490 FIX: Timperiod excludes can now even be configured when creating a
timeperiod...
* 1491 FIX: Fixed bug in dynamic lists where removing an item was not always
possible...
diff --git a/web/htdocs/wato.py b/web/htdocs/wato.py
index e69ca57..089e6bb 100644
--- a/web/htdocs/wato.py
+++ b/web/htdocs/wato.py
@@ -9877,7 +9877,7 @@ def mode_sites(phase):
"the initial handshake and not be stored. If the login is
"
"successful then both side will exchange a login secret
"
"which is used for the further remote calls.") %
site["alias"])
- html.begin_form("login")
+ html.begin_form("login", method="POST")
html.write("<table class=form>")
html.write("<tr><td class=legend>%s</td>" %
_("Administrator login"))
html.write("<td class=content>")
@@ -10561,15 +10561,20 @@ def do_site_login(site_id, name, password):
# Trying basic auth AND form based auth to ensure the site login works.
# Adding _ajaxid makes the web service fail silently with an HTTP code and
# not output HTML code for an error screen.
- url = site["multisiteurl"] + 'login.py?_login=1' \
-
'&_username=%s&_password=%s&_origtarget=automation_login.py&_plain_error=1'
% \
- (name, password)
- response = get_url(url, site.get('insecure', False), name, password).strip()
+ url = site["multisiteurl"] + 'login.py'
+ post_data = html.urlencode_vars([
+ ('_login', '1'),
+ ('_username', name),
+ ('_password', password),
+ ('_origtarget', 'automation_login.py'),
+ ('_plain_error', '1'),
+ ])
+ response = get_url(url, site.get('insecure', False), name, password,
post_data=post_data).strip()
if '<html>' in response.lower():
message = _("Authentication to web service
failed.<br>Message:<br>%s") % \
html.strip_tags(html.strip_scripts(response))
if config.debug:
- message += "<br>Automation URL:
<tt>%s</tt><br>" % url
+ message += "<br>" + _("Automation URL:") + "
<tt>%s</tt><br>" % url
raise MKAutomationException(message)
elif not response:
raise MKAutomationException(_("Empty response from web service"))