oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE request: monitorix: HTTP server 'handle_request()' session fixation & XSS vulnerabilities

From: George Theall <gtheall () tenable com>
Date: Tue, 10 Dec 2013 12:19:23 +0000

On Dec 9, 2013, at 6:43 PM, cve-assign () mitre org wrote:


Also, https://github.com/mikaku/Monitorix/issues/30 says "The remote
host is running GoScript. The installed version fails to properly
sanitize user-supplied input to the 'go.cgi' script. An
unauthenticated, remote attacker could exploit this flaw to execute
arbitrary commands on the remote host." This is apparently a 2004
issue but does not have a CVE ID. Monitorix 3.3.1 apparently has a
patch for it.


FYI - while this vulnerability in Monitorix was flagged by a plugin in Nessus that tests for the GoScript’s go.cgi 
script code execution issue, our research verified that the issue is different. Monitorix doesn’t include GoScript or 
even have a script named go.cgi.  The issue in Monitorix arises because of code in the ‘handle_request()’ function in 
its ‘lib/HTTPServer.pm’, which fails to sanitize the target_cgi value before using it in a Perl 'open()' call; 

                         ----- snip, snip, snip ——
        my $url = $cgi->path_info();
…
        $target = $url;
        while() {
                my $cur = length($target);
                $target =~ s/\.\.\///;
                $target =~ s/^\///;
                $target =~ s/\/$//;
                last unless $cur ne length($target);
        }
        $target = $target_cgi = "/$target”;

        $target =~ s/^$base_url//;        # removes the 'base_url' part
        $target_cgi =~ s/^$base_cgi//;        # removes the 'base_cgi' part
        if(!$target || $target eq $base_url) {
                $target = "index.html" unless $target;
        }
        ($mimetype) = ($target =~ m/.*\.(html|cgi|png)$/);

        $target =~ s/^\///;                # removes leading slash
        $target_cgi =~ s/^\///;                # removes leading slash
        if($target_cgi eq "monitorix.cgi") {
                chdir("cgi");
                open(EXEC, "./$target_cgi |");
                @data = <EXEC>;
                close(EXEC);
        } elsif($target) {
                if(open(IN, $target)) {
                        @data = <IN>;
                        close(IN);
                }
        }

                         ----- snip, snip, snip ——

The issue was fixed in this commit - https://github.com/mikaku/Monitorix/commit/ff80441be7089f774448dfe4b49e6fced70e71cb


George
-- 
theall () tenable com
Previous By Date Next
Previous By Thread Next

Current thread: