Werk #1500: Preventing livestatus injections in different places

Component

User interface

Title

Preventing livestatus injections in different places

Date

Nov 12, 2014

Level

Prominent Change

Class

Security Fix

Compatibility

Compatible - no manual interaction needed

Checkmk versions & editions

1.2.6b1 Not yet released	Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)
1.2.6b1 Not yet released	Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)
1.2.6b1 Not yet released	Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)
1.2.6b1 Not yet released	Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)
1.2.6b1 Not yet released	Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)
1.2.6b1 Not yet released	Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)
1.2.6b1 Not yet released	Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)
1.2.6b1 Not yet released	Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)
1.2.6b1	Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)

In some places strings provided by the users, e.g. by filling values into a form, are used to construct livestatus queries. This is, for example, done when filtering views or executing commands. Previous versions were directly using the strings provided by the user without escaping or filtering characters which could lead into some trouble. This has been fixed now. The strings provided by the user are now filtered before using them in livestatus queries. For the moment the only implemented action is to remove all newline (\n) characters from the values to prevent injections of non intended livestatus queries / commands.

To the list of all Werks