From lm at mathias-kettner.de Wed Nov 12 15:38:38 2014 From: lm at mathias-kettner.de (Lars Michelsen) Date: Wed, 12 Nov 2014 15:38:38 +0100 (CET) Subject: Check_MK Werk 1500: Preventing livestatus injections in different places Message-ID: <20141112143838.E4FAB81C53@mail.mathias-kettner.de> ID: 1500 Title: Preventing livestatus injections in different places Component: Multisite Level: 2 Class: Security Fix Version: 1.2.5i7 In some places strings provided by the users, e.g. by filling values into a form, are used to construct livestatus queries. This is, for example, done when filtering views or executing commands. Previous versions were directly using the strings provided by the user without escaping or filtering characters which could lead into some trouble. This has been fixed now. The strings provided by the user are now filtered before using them in livestatus queries. For the moment the only implemented action is to remove all newline (\n) characters from the values to prevent injections of non intended livestatus queries / commands. From lm at mathias-kettner.de Wed Nov 12 15:38:39 2014 From: lm at mathias-kettner.de (Lars Michelsen) Date: Wed, 12 Nov 2014 15:38:39 +0100 (CET) Subject: Check_MK Werk 1069: Replaced insecure auth.secret mechanism Message-ID: <20141112143839.45C4C81C78@mail.mathias-kettner.de> ID: 1069 Title: Replaced insecure auth.secret mechanism Component: Multisite Level: 2 Class: Security Fix Version: 1.2.5i7 We replaced a insecure mechanism of generating the auth.secret which is used during construction of the authentication cookies when a user logs into the Check_MK Web GUI to make the authentication cookie only valid for an individual site or a group of sites connected in a distributed setup. What you have to know about: When the first user accesses the Web GUI after the update to this version, all currently valid auth cookies of all users will be invalidated. As a result all users will need to login again. In distributed setups you will also need to do a replication from the master site (which generated a new secret) to all slave sites (which generated another secret themselfs). The replication will synchronize the new secret of the master to all slaves which should make the transparent authentication between all sites work again. From lm at mathias-kettner.de Wed Nov 12 15:38:39 2014 From: lm at mathias-kettner.de (Lars Michelsen) Date: Wed, 12 Nov 2014 15:38:39 +0100 (CET) Subject: Check_MK Werk 1499: Fixed XSS injections in different places Message-ID: <20141112143839.72E1681C56@mail.mathias-kettner.de> ID: 1499 Title: Fixed XSS injections in different places Component: Multisite Level: 1 Class: Security Fix Version: 1.2.5i7 Fixed different XSS injections in the Check_MK multisite code where an authenticated user could inject custom script code to be executed during page rendering.