oss-sec mailing list archives
Re: CVE request: monitorix: HTTP server 'handle_request()' session fixation & XSS vulnerabilities
From: George Theall <gtheall () tenable com>
Date: Tue, 10 Dec 2013 12:19:23 +0000
On Dec 9, 2013, at 6:43 PM, cve-assign () mitre org wrote:
Also, https://github.com/mikaku/Monitorix/issues/30 says "The remote host is running GoScript. The installed version fails to properly sanitize user-supplied input to the 'go.cgi' script. An unauthenticated, remote attacker could exploit this flaw to execute arbitrary commands on the remote host." This is apparently a 2004 issue but does not have a CVE ID. Monitorix 3.3.1 apparently has a patch for it.
FYI - while this vulnerability in Monitorix was flagged by a plugin in Nessus that tests for the GoScript’s go.cgi script code execution issue, our research verified that the issue is different. Monitorix doesn’t include GoScript or even have a script named go.cgi. The issue in Monitorix arises because of code in the ‘handle_request()’ function in its ‘lib/HTTPServer.pm’, which fails to sanitize the target_cgi value before using it in a Perl 'open()' call; ----- snip, snip, snip —— my $url = $cgi->path_info(); … $target = $url; while() { my $cur = length($target); $target =~ s/\.\.\///; $target =~ s/^\///; $target =~ s/\/$//; last unless $cur ne length($target); } $target = $target_cgi = "/$target”; $target =~ s/^$base_url//; # removes the 'base_url' part $target_cgi =~ s/^$base_cgi//; # removes the 'base_cgi' part if(!$target || $target eq $base_url) { $target = "index.html" unless $target; } ($mimetype) = ($target =~ m/.*\.(html|cgi|png)$/); $target =~ s/^\///; # removes leading slash $target_cgi =~ s/^\///; # removes leading slash if($target_cgi eq "monitorix.cgi") { chdir("cgi"); open(EXEC, "./$target_cgi |"); @data = <EXEC>; close(EXEC); } elsif($target) { if(open(IN, $target)) { @data = <IN>; close(IN); } } ----- snip, snip, snip —— The issue was fixed in this commit - https://github.com/mikaku/Monitorix/commit/ff80441be7089f774448dfe4b49e6fced70e71cb George -- theall () tenable com
Current thread:
- CVE request: monitorix: HTTP server 'handle_request()' session fixation & XSS vulnerabilities Ratul Gupta (Dec 09)
- Re: CVE request: monitorix: HTTP server 'handle_request()' session fixation & XSS vulnerabilities cve-assign (Dec 09)
- Re: CVE request: monitorix: HTTP server 'handle_request()' session fixation & XSS vulnerabilities Ratul Gupta (Dec 10)
- Re: CVE request: monitorix: HTTP server 'handle_request()' session fixation & XSS vulnerabilities George Theall (Dec 10)
- Re: CVE request: monitorix: HTTP server 'handle_request()' session fixation & XSS vulnerabilities cve-assign (Dec 11)
- Re: CVE request: monitorix: HTTP server 'handle_request()' session fixation & XSS vulnerabilities cve-assign (Dec 10)
- Re: CVE request: monitorix: HTTP server 'handle_request()' session fixation & XSS vulnerabilities cve-assign (Dec 09)