Module: check_mk
Branch: master
Commit: d9455172c8aefc640b37317d744057163dedf195
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=d9455172c8aefc…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Tue Jun 27 12:12:03 2017 +0200
4902 SEC Monitoring history views: Fixed possible XSS when displaying "plugin
output"
A possible XSS issue has been fixed in the monitoring history views displaying the
plugin output of hosts or services. In case a host or service problem is being
acknowledged with HTML code in the acknowlegement comment, this HTML code was
not being escaped properly when being displayed in the "plugin output" column.
Only authenticated users that are permitted to acknowledge host or service problems
could trigger this issue.
Change-Id: I800d2c48bb2dfcf72ed69852be897bba4e58feee
---
.werks/4902 | 17 +++++++++++++++++
web/plugins/views/painters.py | 5 ++++-
2 files changed, 21 insertions(+), 1 deletion(-)
diff --git a/.werks/4902 b/.werks/4902
new file mode 100644
index 0000000..7fcaa3b
--- /dev/null
+++ b/.werks/4902
@@ -0,0 +1,17 @@
+Title: Monitoring history views: Fixed possible XSS when displaying "plugin
output"
+Level: 1
+Component: multisite
+Class: security
+Compatible: compat
+Edition: cre
+State: unknown
+Version: 1.5.0i1
+Date: 1498558049
+
+A possible XSS issue has been fixed in the monitoring history views displaying the
+plugin output of hosts or services. In case a host or service problem is being
+acknowledged with HTML code in the acknowlegement comment, this HTML code was
+not being escaped properly when being displayed in the "plugin output" column.
+
+Only authenticated users that are permitted to acknowledge host or service problems
+could trigger this issue.
diff --git a/web/plugins/views/painters.py b/web/plugins/views/painters.py
index afc0d87..ed52745 100644
--- a/web/plugins/views/painters.py
+++ b/web/plugins/views/painters.py
@@ -2221,10 +2221,13 @@ multisite_painters["log_message"] = {
def paint_log_plugin_output(row):
output = row["log_plugin_output"]
comment = row["log_comment"]
+
if output:
return "", format_plugin_output(output, row)
+
elif comment:
- return "", comment
+ return "", html.attrencode(comment)
+
else:
log_type = row["log_type"]
lst = row["log_state_type"]