Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 03 Jun 2011 11:01:15 -0500
From: Jamie Strandboge <>
To: Alvaro Lopez Ortega <>
Subject: Security issue in cherokee

A security bug was reported against cherokee in Ubuntu. You are being
emailed as the upstream contact. Please keep oss-security[1] CC'd for
any updates on this issue.

This issue should be considered public, but has not yet been assigned a
CVE. Once a CVE is assigned, please mention it in any changelogs.

Details from the public bug follow:

From the reporter:
The cherokee admin server is vulnerable to csrf.

Using csrf it is possible to produce a persistent xss in several pages -
including the 'status' page via the 'nickname field' of a vserver.
An example of this is the following:

 <form action="" method="post"
 <input type="text" name="tmp!new_droot" value='/var/www/'></input>
 <input type="text" name="tmp!new_nick" value='" onselect=alert(1)
autofocus> <embed src="javascript:alert(document.cookie)">'></input>

A Worst case scenario could be something like the following:
If a user is logged in and the cherokee admin server is running on
localhost:9090 then if they visit a $bad page - the bad page may be able
to send requests to the server so as to reconfigure it to:

1. run as root
2. the logging of error(or access) will run a command ...

Thanks in advance for your cooperation in coordinating a fix for this

Jamie Strandboge

[1] is a public mailing list for
    people to collaborate on security vulnerabilities and coordinate
    security updates.

Jamie Strandboge             |

Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ