Module: check_mk
Branch: master
Commit: 504bd5002b76c3756868df11901a56f0f9b8ac14
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=504bd5002b76c3…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Fri Nov 3 10:34:41 2017 +0100
5431 SEC Fixed possible reflected XSS using custom bookmarks
It was possible to create custom bookmarks by making the user open a
crafted URL. This created a bookmark in the users default bookmark list
which could be used to execute custom javascript code when the user
clicks on the just created link.
For example the user session cookies can be read and reported to the
attackers, who could then hijack the users sessions with the application.
This issue has been fixed by limiting absolute URLs in bookmarks to the
URL schemes <tt>https</tt> and <tt>http</tt>.
Change-Id: I80a47c981970f23dd9737f1c6000cc82799220b1
---
.werks/5431 | 20 ++++++++++++++++++++
web/plugins/sidebar/shipped.py | 11 +++++++++++
2 files changed, 31 insertions(+)
diff --git a/.werks/5431 b/.werks/5431
new file mode 100644
index 0000000..35e29cc
--- /dev/null
+++ b/.werks/5431
@@ -0,0 +1,20 @@
+Title: Fixed possible reflected XSS using custom bookmarks
+Level: 1
+Component: multisite
+Class: security
+Compatible: compat
+Edition: cre
+State: unknown
+Version: 1.5.0i1
+Date: 1509701263
+
+It was possible to create custom bookmarks by making the user open a
+crafted URL. This created a bookmark in the users default bookmark list
+which could be used to execute custom javascript code when the user
+clicks on the just created link.
+
+For example the user session cookies can be read and reported to the
+attackers, who could then hijack the users sessions with the application.
+
+This issue has been fixed by limiting absolute URLs in bookmarks to the
+URL schemes <tt>https</tt> and <tt>http</tt>.
diff --git a/web/plugins/sidebar/shipped.py b/web/plugins/sidebar/shipped.py
index 03a8467..7903393 100644
--- a/web/plugins/sidebar/shipped.py
+++ b/web/plugins/sidebar/shipped.py
@@ -1495,6 +1495,7 @@ class BookmarkList(pagetypes.Overridable):
title = _("URL"),
size = 50,
allow_empty = False,
+ validate = self.validate_url,
)),
(IconSelector(
title = _("Icon"),
@@ -1527,9 +1528,18 @@ class BookmarkList(pagetypes.Overridable):
return parameters
+ def validate_url(cls, value, varprefix):
+ parsed = urlparse.urlparse(value)
+
+ # Absolute URLs are allowed, but limit it to http/https
+ if parsed.scheme != "" and parsed.scheme not in [ "http",
"https" ]:
+ raise MKUserError(varprefix, _("This URL ist not allowed to be used as
bookmark"))
+
+
@classmethod
def _load(cls):
cls.load_legacy_bookmarks()
+ self.load_legacy_bookmarks()
@classmethod
@@ -1694,6 +1704,7 @@ def ajax_add_bookmark():
title = html.var("title")
url = html.var("url")
if title and url:
+ BookmarkList.validate_url(url, "url")
add_bookmark(title, url)
render_bookmarks()