Werk #14261: Manual enablement of login using HTTP GET to avoid unintentional leakage of user credentials in Apache's access logs
Component | Setup | ||||||
Title | Manual enablement of login using HTTP GET to avoid unintentional leakage of user credentials in Apache's access logs | ||||||
Date | Jun 28, 2022 | ||||||
Level | Trivial Change | ||||||
Class | Security Fix | ||||||
Compatibility | Incompatible - Manual interaction might be required | ||||||
Checkmk versions & editions |
|
Using GET requests to login.py means that the credentials supplied in the query parameters will appear in the site's Apache logs. To avoid unintentional leakage of such credentials, we by default block login attempts via the GET method.
If you used the GET method to, for example, export the data of views and dashboards in formats such as JSON, you can make use of the automation user as described in documentation article. For example, to display the view allhosts in JSON format, you can issue requests like this one curl -X GET 'http://localhost/heute/check_mk/view.py?_username=automation&_secret=[automation_secret]&view_name=allhosts&output_format=json'.
However, if you still need to use the GET method to login to WATO, you can manually enable this method as follows:
In the WATO interface, go to Setup > Global Settings > User interface, and switch on the Enable login via GET requests property.