Download

Werk #3855: Fixed possible command injection by privileged WATO users

Komponente Setup
Titel Fixed possible command injection by privileged WATO users
Datum 13.09.2016
Checkmk Edition Checkmk Raw (CRE)
Checkmk-Version 1.2.8p11 1.4.0i1
Level Bedeutende Änderung
Klasse Sicherheitsfix
Kompatibilität Kompatibel - benötigt kein manuelles Eingreifen

In all previous 1.2.8 versions authenticated and privileged WATO users, the ones which are able to add or edit hosts, were able to inject shell commands to Check_MK which are then executed in the context of the monitoring site user.

The user was able to configure a host address in a specific format to inject such shell commands to the configuration. Once the configuration was activated and loaded into the monitoring core, the command was executed in context of the monitoring site user in the moment a parent scan was started for that host.

Thanks for analyzing and reporting this issue to Christian Fünfhaus!

Zur Liste aller Werks

Überzeugen Sie sich selbst

Testen Sie Checkmk jetzt.

Raw Edition herunterladen Kostenloses Open-Source-Monitoring
Play with Checkmk Checkmk ohne Installation ausprobieren
checkmk_conference_10.png

Das Highlight des Jahres: Vom 11. - 13. Juni 2024 kommt die Checkmk Community in München zusammen.

Register now