Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <52A7064E.9000200@redhat.com>
Date: Tue, 10 Dec 2013 17:47:18 +0530
From: Ratul Gupta <ratulg@...hat.com>
To: oss-security@...ts.openwall.com
CC: cve-assign@...re.org
Subject: Re: CVE request: monitorix: HTTP server 'handle_request()' session
 fixation & XSS vulnerabilities

On 12/10/2013 05:13 AM, cve-assign@...re.org wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>> https://bugzilla.redhat.com/show_bug.cgi?id=1038071
> In reading this, we were not sure what vulnerability or
> vulnerabilities you are referring to. First, the Subject line mentions
> session fixation, but the body of the message doesn't mention session
> fixation.
>
> https://github.com/mikaku/Monitorix/issues/30 says "The remote host is
> running a web server that fails to adequately sanitize request strings
> of malicious JavaScript. By leveraging this issue, an attacker may be
> able to inject arbitrary cookies. Depending on the structure of the
> web application, it may be possible to launch a 'session fixation'
> attack using this mechanism." This suggests some possibility that the
> session fixation issue is resultant from an XSS vulnerability. In that
> situation, the session fixation issue could not be assigned a separate
> CVE ID.
>
> Also, https://github.com/mikaku/Monitorix/issues/30 says "The remote
> host is running GoScript. The installed version fails to properly
> sanitize user-supplied input to the 'go.cgi' script. An
> unauthenticated, remote attacker could exploit this flaw to execute
> arbitrary commands on the remote host." This is apparently a 2004
> issue but does not have a CVE ID. Monitorix 3.3.1 apparently has a
> patch for it.
>
> http://www.monitorix.org/news.html says "3.3.1 version released ...
> 21-Nov-2013 ... This is a maintenance release that fixes a serious bug
> in the built-in HTTP server. It was discovered that the
> handle_request() routine did not properly perform input sanitization
> which led into a number of security vulnerabilities." (This is about
> some or all of the https://github.com/mikaku/Monitorix/issues/30
> page).
>
> http://www.monitorix.org/news.html also says "3.4.0 version
> released ... 02-Dec-2013 ... This version also fixes an important
> number of bugs and two security issues ... not covered yet in the
> previous 3.3.1 version." These would very likely need separate CVE
> IDs.
>
> - -- 
> CVE assignment team, MITRE CVE Numbering Authority
> M/S M300
> 202 Burlington Road, Bedford, MA 01730 USA
> [ PGP key available through http://cve.mitre.org/cve/request_id.html ]
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.14 (SunOS)
>
> iQEcBAEBAgAGBQJSplHIAAoJEKllVAevmvms0jAH/0RNtdKYSSGixfL2e4TABdMo
> 27U2T/rM0cH6Bk9xMyIH0vtqhHsOsaMB266PEym9iy+Hntf+/OiCizA8HAbdeLoi
> xFjyYnWNAmuLnictLQ7S4zuwHMlA/3S9MsPS4ZaSpYmKkyb7YsxzSXNHmawss/XB
> wOuLDHyFu5JV6/5o6CfACKdAXxUjE569O8v647zH6XYhsaaEQJTe7TxRybJzLKgY
> YQrzp4Mh8QhMB2KNR9FO8zR9HfkTU0UoLzBQ/t52+ZmKi4eBOdzhi9La1hBgXleW
> NWBpx7zgnrAVN8bZ6xR3MiIa3fQtS4ncHhmliLzW5Qjrz7rZWNiTIKdwLiutDiI=
> =vNaA
> -----END PGP SIGNATURE-----
The issues which needs CVE are described here: 
http://secunia.com/advisories/55857/

-- 
Regards,

Ratul Gupta / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.