Werk #14261: Manual enablement of login using HTTP GET to avoid unintentional leakage of user credentials in Apache's access logs

Komponente Setup
Titel Manual enablement of login using HTTP GET to avoid unintentional leakage of user credentials in Apache's access logs
Datum 28.06.2022
Checkmk-Editon Checkmk Raw (CRE)
Checkmk-Version 2.2.0i1
Level Kleine Änderung
Klasse Sicherheitsfix
Kompatibilität Kompatibel - benötigt kein manuelles Eingreifen

Using GET requests to login.py means that the credentials supplied in the query parameters will appear in the site's Apache logs. To avoid unintentional leakage of such credentials, we by default block login attempts via the GET method.

If you used the GET method to, for example, export the data of views and dashboards in formats such as JSON, you can make use of the automation user as described in documentation article. For example, to display the view allhosts in JSON format, you can issue requests like this one curl -X GET 'http://localhost/heute/check_mk/view.py?_username=automation&_secret=[automation_secret]&view_name=allhosts&output_format=json'.

However, if you still need to use the GET method to login to WATO, you can manually enable this method as follows:

In the WATO interface, go to Setup > Global Settings > User interface, and switch on the Enable login via GET requests property.

Zur Liste aller Werks