Checkmk werks level3 March 2014

checkmk-werks-lvl3@lists.checkmk.com

2 participants
3 discussions

Check_MK Werk 0766: Changed transid implemtation to work as CSRF protection (Fixes CVE-2014-2330)

by Lars Michelsen

ID: 0766 Title: Changed transid implemtation to work as CSRF protection (Fixes CVE-2014-2330) Component: Multisite Level: 3 Class: Bug Fix Version: 1.2.5i2 This change fixes possible attacks against Check_MK Multisite users. In previous versions a possible attacker could try to make the browsers of authenticated users open URLs of the Check_MK Multisite GUI to execute actions e.g. within WATO without knowledge of the attacked user. To make such an attack possible, there are several things needed: The user must be authenticated with multisite and have enough permission within multisite to execute the actions the attacker wants to use, the attacker needs to know the exact URL to the Multisite GUI. Then the attacker needs to make the user either click on a manipulated link or open a manipulated webpage which makes the browser of the user, where the user is authenticated with multisite, open the URL the attacker wants to make it open. The multisite GUI makes use of transids (transaction ids) when processing form submissions or actions. The transids were mainly used to prevent double execution of actions when reloading the page which performed the action in the browser. Now we changed internal handling of the transid to make it also prevent CSRF attacks. The transid is now some kind of shared secret between the webserver and the browser of the user. This ensures a form submission is intended by a previously requested page. This change impicates an incompatible change: In case you use a script which opens multisite pages to perform an action, e.g. set a downtime and use this with a regular user account which authenticates by username/password, the script won't work anymore after this change. The way to go is to adapt the script and change the user to authenticate with an automation secret instead of a password. For this kind of authentication, you will need to user other URL parameters (_username=... and _secret=...).

10 years, 1 month

Check_MK Werk 0713: New bulk notifications

by Mathias Kettner

ID: 0713 Title: New bulk notifications Component: Notifications Level: 3 Class: New Feature Version: 1.2.5i1 The new rule based notifications now also support a new feature called Bulk Notifications. The idea is to send multiple notifications, that are created within a short time frame, within one email and not as separate emails. This can help in situations where due to some general problem dozends of notifications would happen in a sort time. Also it can be used in order to create something similar to mailing list digests: you can get informed about all problems once a day. Please refer to the <a href="http://mathias-kettner.com/checkmk_rbn.html">online documentation</a> for details.

10 years, 2 months

Check_MK Werk 0711: New rules based notifications

by Mathias Kettner

ID: 0711 Title: New rules based notifications Component: Notifications Level: 3 Class: New Feature Version: 1.2.5i1 Check_MK comes now with a completely new notification system called Rule Based Notifications. While keeping the flexibility of the Flexible Notifications it is easier to configure and at the same time even more flexible. Please refer to <a href="http://mathias-kettner.com/checkmk_rbn.html">the online documentation</a> for details. Rule based notifications are turned off per default. They do not harm you in any way as long as you do not enable them. If you turn them on then your current flexible notification settings are not being converted!

10 years, 2 months

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

Checkmk werks level3 March 2014