Module: check_mk Branch: master Commit: 31611e42584dd0836ddab2ed80e72bb9aa561443 URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=31611e42584dd0… Author: Lars Michelsen <lm(a)mathias-kettner.de> Date: Fri Jul 4 15:27:14 2014 +0200 SEC index start URL can not be used to redirect to absolute URLs anymore An attacker could make a user open up an URL to a compromised website which the does not want to open index.py?start_url=http://(url to compromised URL). --- .werks/1052 | 10 ++++++++++ ChangeLog | 1 + web/htdocs/main.py | 5 +++++ 3 files changed, 16 insertions(+) diff --git a/.werks/1052 b/.werks/1052 new file mode 100644 index 0000000..448b622 --- /dev/null +++ b/.werks/1052 @@ -0,0 +1,10 @@ +Title: index start URL can not be used to redirect to absolute URLs anymore +Level: 1 +Component: multisite +Class: security +State: unknown +Version: 1.2.5i5 +Date: 1404480323 + +An attacker could make a user open up an URL to a compromised website which the +does not want to open index.py?start_url=http://(url to compromised URL). diff --git a/ChangeLog b/ChangeLog index 48cb0d8..f10cf0d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -35,6 +35,7 @@ * 1013 Sort host names naturally, e.g. foobar11 comes after foobar2... * 1033 New Mutisite filter for the number of services a host has... * 0949 quicksearch: now able to search for multiple hosts at once... + * 1052 SEC: index start URL can not be used to redirect to absolute URLs anymore... * 0945 FIX: Sidebar snapin "Problem hosts": Now excludes hosts and services in downtime * 1036 FIX: doc/treasures/downtime: fix --url option, better error output diff --git a/web/htdocs/main.py b/web/htdocs/main.py index c0e4815..338ad16 100644 --- a/web/htdocs/main.py +++ b/web/htdocs/main.py @@ -28,6 +28,11 @@ import defaults, config def page_index(): start_url = html.var("start_url", config.start_url) + # Prevent redirecting to absolute URL which could be used to redirect + # users to compromised pages + if '://' in start_url: + start_url = config.start_url + # Do not cache the index page -> caching problems when page is accessed # while not logged in #html.req.headers_out.add("Cache-Control", "max-age=7200, public");