Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 9 Dec 2013 18:43:18 -0500 (EST)
From: cve-assign@...re.org
To: ratulg@...hat.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE request: monitorix: HTTP server 'handle_request()' session fixation & XSS vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> https://bugzilla.redhat.com/show_bug.cgi?id=1038071

In reading this, we were not sure what vulnerability or
vulnerabilities you are referring to. First, the Subject line mentions
session fixation, but the body of the message doesn't mention session
fixation.

https://github.com/mikaku/Monitorix/issues/30 says "The remote host is
running a web server that fails to adequately sanitize request strings
of malicious JavaScript. By leveraging this issue, an attacker may be
able to inject arbitrary cookies. Depending on the structure of the
web application, it may be possible to launch a 'session fixation'
attack using this mechanism." This suggests some possibility that the
session fixation issue is resultant from an XSS vulnerability. In that
situation, the session fixation issue could not be assigned a separate
CVE ID.

Also, https://github.com/mikaku/Monitorix/issues/30 says "The remote
host is running GoScript. The installed version fails to properly
sanitize user-supplied input to the 'go.cgi' script. An
unauthenticated, remote attacker could exploit this flaw to execute
arbitrary commands on the remote host." This is apparently a 2004
issue but does not have a CVE ID. Monitorix 3.3.1 apparently has a
patch for it.

http://www.monitorix.org/news.html says "3.3.1 version released ...
21-Nov-2013 ... This is a maintenance release that fixes a serious bug
in the built-in HTTP server. It was discovered that the
handle_request() routine did not properly perform input sanitization
which led into a number of security vulnerabilities." (This is about
some or all of the https://github.com/mikaku/Monitorix/issues/30
page).

http://www.monitorix.org/news.html also says "3.4.0 version
released ... 02-Dec-2013 ... This version also fixes an important
number of bugs and two security issues ... not covered yet in the
previous 3.3.1 version." These would very likely need separate CVE
IDs.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJSplHIAAoJEKllVAevmvms0jAH/0RNtdKYSSGixfL2e4TABdMo
27U2T/rM0cH6Bk9xMyIH0vtqhHsOsaMB266PEym9iy+Hntf+/OiCizA8HAbdeLoi
xFjyYnWNAmuLnictLQ7S4zuwHMlA/3S9MsPS4ZaSpYmKkyb7YsxzSXNHmawss/XB
wOuLDHyFu5JV6/5o6CfACKdAXxUjE569O8v647zH6XYhsaaEQJTe7TxRybJzLKgY
YQrzp4Mh8QhMB2KNR9FO8zR9HfkTU0UoLzBQ/t52+ZmKi4eBOdzhi9La1hBgXleW
NWBpx7zgnrAVN8bZ6xR3MiIa3fQtS4ncHhmliLzW5Qjrz7rZWNiTIKdwLiutDiI=
=vNaA
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.