From lm at mathias-kettner.de  Wed Dec  3 09:53:22 2014
From: lm at mathias-kettner.de (Lars Michelsen)
Date: Wed,  3 Dec 2014 09:53:22 +0100 (CET)
Subject: Check_MK Werk 1587: Prevent logging of passwords during initial
 distributed site login
Message-ID: <20141203085322.ABADA807F7@mail.mathias-kettner.de>

ID:          1587
Title:       Prevent logging of passwords during initial distributed site login
Component:   WATO
Level:       1
Class:       Security Fix
Version:     1.2.5i7

When creating a distributed monitoring setup using WATO, after configuring
a remote site in the central site, you need to login into the remote site
as admin user once to establish a trust between both sites.

This login was made using a HTTP get request, which is logged in the access
logs of the affected webservers (local system apache, local site apache,
remote system apache, remote site apache). All these log entries contain the
whole GET query string, which also includes the inserted username and password.

This has been fixed by replacing the GET request with a POST request where
the request vars are not logged in the access log.