Werk #3970: Fixed possible URL injection on index page
| Component | User interface | ||||
| Title | Fixed possible URL injection on index page | ||||
| Date | Oct 24, 2016 | ||||
| Level | Trivial Change | ||||
| Class | Security Fix | ||||
| Compatibility | Compatible - no manual interaction needed | ||||
| Checkmk versions & editions |
|
Till this version it was possible to inject authenticated users external URLs as start URLs for their GUI.
An attacker could use this to make an authenticated GUI user open a page of his choice when the user clicks on a prepared link.
One example URL which could be used: index.py?start_url=//heise.de
Thanks to Marcel Bilal for reporting the issue!