ID: 2370
Title: Fix computation of "in downtime" and "acknownledged" of hosts in BI aggregations
Component: BI
Level: 2
Class: Bug Fix
Version: 1.2.7i3
BI automatically aggregates downtimes and acknowledgements. But for host nodes in a
BI tree these two states had been swapped. This has been fixed.
ID: 2387
Title: Fixed XSS problem on all pages using confirm dialogs outputting user provided parameters
Component: Multisite
Level: 1
Class: Security Fix
Version: 1.2.7i3
On some pages, like for example the host group management page of WATO, it was possible
to inject user provided HTML/Javascript code into the confirm messages. An attacker could
use this to let an authenticated user open a prepared URL for privilege escalation.
ID: 2386
Title: Fixed possible XSS on WATO rule edit page
Component: WATO
Level: 1
Class: Security Fix
Version: 1.2.7i3
A possible XSS injection has been fixed on the rule edit page of WATO. It was possible
to inject javascript code using the HTTP parameters the page is processing.
ID: 2385
Title: Fixed possible reflected XSS on all GUI pages where users can produce unhandled exceptions
Component: Multisite
Level: 1
Class: Security Fix
Version: 1.2.7i3
On pages where an authenticated user can trigger an exception which is then displayed
to the user as "Internal error" dialog with details about the exception, it was possible
for the user to inject javascript code which was executed in the context of the authenticated
user.
This has been fixed that javascript/html code which is injected is being escaped correctly.
ID: 2384
Title: Prevent user passwords from being visible in webserver log on user creation
Component: WATO
Level: 1
Class: Security Fix
Version: 1.2.7i3
When a user is created using WATO, the set values of the form fields were logged
directly into the webserver access log, because the form of this page used the
GET request method. Users which have access to the log files would be able to
see the initial passwords. If you use an older version of Check_MK it is a good
idea to set the "Change password at next login or access" to force the user
to change his password on first login.
We changed this form to perform a POST request now to prevent these information
being written to the logs.
ID: 2318
Title: windows agent: no longer crashes when a cached plugin has several hundred sections
Component: Checks & Agents
Level: 1
Class: Bug Fix
Version: 1.2.7i3
The windows agent crashed when a single cached plugin reported several hundred sections.
Cached plugins needs to be postprocessed, which requires additional heap buffer.
The extra heap buffer was set to a too small value. This has been fixed.