oss-security - Re: CVE request: Nagios (two issues)

Openwall Project		/home Owl JtR Pro crypt pam_passwdqc tcb phpass scanlogd popa3d msulogin / Linux BIND / advisories presentations / services donations / wordlists passwords / news community lists wiki CVSweb mirrors signatures
bringing security into open environments

Password Recovery Resources on the Net

[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list]

Date: Wed, 12 Nov 2008 18:37:25 -0500 (EST)
From: "Steven M. Christey" <coley@...us.mitre.org>
To: Andreas Ericsson <ae@....se>
cc: "Steven M. Christey" <coley@...us.mitre.org>,
        oss-security@...ts.openwall.com, Johannes Dagemark <jd@....se>,
        Ethan Galstad <egalstad@...ios.org>,
        Marc Schoenefeld <mschoene@...hat.com>
Subject: Re: CVE request: Nagios (two issues)


On Tue, 11 Nov 2008, Andreas Ericsson wrote:

> > Name: CVE-2008-5028
> > Status: Candidate
> > URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5028
> >
> > Cross-site request forgery (CSRF) vulnerability in cmd.cgi in (1)
> > Nagios 3.0.5 and (2) op5 Monitor before 4.0.1 allows remote attackers
> > to send commands to the Nagios process, and trigger execution of
> > arbitrary programs by this process, via unspecified HTTP requests.
> >
> >
>
> Actually, the CSRF issue is still in Nagios 3.0.5, but can no longer
> trigger execution of arbitrary programs by the Nagios process. Its
> impact is thereby reduced to disabling monitoring of the network and
> similar actions that can validly be requested from the Nagios process
> through the GUI.

What is the relationship between this CSRF issue and the one documented
here:

  http://www.nagios.org/development/history/nagios-3x.php

  "Security fix for Cross Site Request Forgery (CSRF) bug reported by Tim
   Starling."

Are these the same CSRF issue, or are we talking about a separate problem
that would need a separate new CVE?

- Steve

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.