Werk #4757: Fixed possible reflected XSS in webapi.py

Name: checkmk
Rating: 4.7 (114 reviews)

Component

User interface

Title

Fixed possible reflected XSS in webapi.py

Date

Jun 14, 2017

Level

Prominent Change

Class

Security Fix

Compatibility

Compatible - no manual interaction needed

Checkmk versions & editions

1.5.0i1	Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)
1.4.0p6	Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)
1.2.8p27	Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)

In the Check_MK 1.4 branch URLs like this could be used for a reflected XSS attack:

http://<test host>/<site>/check_mk/webapi.py?_username=<script>alert("XSS")</script>&_secret=AnythingHere

The error message was interpreted as HTML while it should be a plain text error message. This has been fixed now.