Module: check_mk
Branch: master
Commit: 2b4afd8f1b586fc27200c76c9fd0e241f134fde9
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=2b4afd8f1b586f…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Tue Jun 30 10:02:24 2015 +0200
#2386 SEC Fixed possible XSS on WATO rule edit page
A possible XSS injection has been fixed on the rule edit page of WATO. It was possible
to inject javascript code using the HTTP parameters the page is processing.
---
.werks/2386 | 11 +++++++++++
ChangeLog | 1 +
web/htdocs/wato.py | 2 +-
3 files changed, 13 insertions(+), 1 deletion(-)
diff --git a/.werks/2386 b/.werks/2386
new file mode 100644
index 0000000..2451307
--- /dev/null
+++ b/.werks/2386
@@ -0,0 +1,11 @@
+Title: Fixed possible XSS on WATO rule edit page
+Level: 1
+Component: wato
+Class: security
+Compatible: compat
+State: unknown
+Version: 1.2.7i3
+Date: 1435651254
+
+A possible XSS injection has been fixed on the rule edit page of WATO. It was possible
+to inject javascript code using the HTTP parameters the page is processing.
diff --git a/ChangeLog b/ChangeLog
index 4a79c70..ac9b259 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -33,6 +33,7 @@
WATO:
* 2365 Removed old deprecated notification global options for plain emails...
* 2384 SEC: Prevent user passwords from being visible in webserver log on user
creation...
+ * 2386 SEC: Fixed possible XSS on WATO rule edit page...
* 2344 FIX: Improved validation of selected rules when editing BI aggregations...
* 2346 FIX: Notifications: Fixed garbled page when switching on/off
bulks/backlog/user rules
diff --git a/web/htdocs/wato.py b/web/htdocs/wato.py
index 7565351..61dcdf3 100644
--- a/web/htdocs/wato.py
+++ b/web/htdocs/wato.py
@@ -14367,7 +14367,7 @@ def mode_edit_ruleset(phase):
if not rulespec:
text = html.var("service_description") or varname
- html.write("<div class=info>" + _("There are no rules
availabe for %s.") % text + "</div>")
+ html.write("<div class=info>" + _("There are no rules
availabe for %s.") % html.attrencode(text) + "</div>")
return
if not hostname: