Werk #3970: Fixed possible URL injection on index page
Komponente | User interface |
Titel | Fixed possible URL injection on index page |
Datum | 24.10.2016 |
Checkmk Edition | Checkmk Raw (CRE) |
Checkmk-Version | 1.2.8p14 1.4.0i2 |
Level | Kleine Änderung |
Klasse | Sicherheitsfix |
Kompatibilität | Kompatibel - benötigt kein manuelles Eingreifen |
Till this version it was possible to inject authenticated users external URLs as start URLs for their GUI.
An attacker could use this to make an authenticated GUI user open a page of his choice when the user clicks on a prepared link.
One example URL which could be used: index.py?start_url=//heise.de
Thanks to Marcel Bilal for reporting the issue!