Werk #4757: Fixed possible reflected XSS in webapi.py
Komponente | User interface |
Titel | Fixed possible reflected XSS in webapi.py |
Datum | 14.06.2017 |
Checkmk Edition | Checkmk Raw (CRE) |
Checkmk-Version | 1.2.8p27 1.4.0p6 1.5.0i1 |
Level | Bedeutende Änderung |
Klasse | Sicherheitsfix |
Kompatibilität | Kompatibel - benötigt kein manuelles Eingreifen |
In the Check_MK 1.4 branch URLs like this could be used for a reflected XSS attack:
http://<test host>/<site>/check_mk/webapi.py?_username=<script>alert("XSS")</script>&_secret=AnythingHere
The error message was interpreted as HTML while it should be a plain text error message. This has been fixed now.