Skip to content
This repository has been archived by the owner on Dec 13, 2022. It is now read-only.

fix(security): do not allow to get all services using downtime ajax file #8022

Merged
merged 2 commits into from
Oct 28, 2019
Merged

fix(security): do not allow to get all services using downtime ajax file #8022

merged 2 commits into from
Oct 28, 2019

Conversation

kduret
Copy link
Contributor

@kduret kduret commented Oct 21, 2019

Description

Do not allow to get all configured services using curl request

Fixes MON-4184

Type of change

  • Patch fixing an issue (non-breaking change)
  • New functionality (non-breaking change)
  • Breaking change (patch or feature) that might cause side effects breaking part of the Software
  • Updating documentation (missing information, typo...)

Target serie

  • 2.8.x
  • 18.10.x
  • 19.04.x
  • 19.10.x (master)

How this pull request can be tested ?

curl -d 'host_id=-1' http://<ip_address>/centreon/include/monitoring/recurrentDowntime/GetXMLHost4Services.php
==> the file should not exist anymore

@kduret kduret merged commit 1722da5 into master Oct 28, 2019
@kduret kduret deleted the MON-4184-recurrent-downtime-injection branch October 28, 2019 09:56
kduret added a commit that referenced this pull request Oct 28, 2019
@kduret
fix(security): do not allow to get all services using downtime ajax f…
d44f15b 
…ile (#8022)
kduret added a commit that referenced this pull request Oct 28, 2019
@kduret
fix(security): do not allow to get all services using downtime ajax f…
3cd022b 
…ile (#8022)
kduret added a commit that referenced this pull request Oct 28, 2019
@kduret
fix(security): do not allow to get all services using downtime ajax f…
33c1d97 
…ile (#8022)
sc979 pushed a commit that referenced this pull request Oct 31, 2019
@kduret @sc979
fix(security): do not allow to get all services using downtime ajax f…
05f6ab9 
…ile (#8022)
callapa pushed a commit that referenced this pull request Nov 12, 2019
@kduret @callapa
fix(security): do not allow to get all services using downtime ajax f…
eed4d3e 
…ile (#8022)
@lbrossault
Copy link

CVE Id assigned about this security fix is CVE-2019-17643

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@sc979 sc979 sc979 approved these changes

@loiclau loiclau loiclau approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@kduret @lbrossault @loiclau @sc979