Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 10 Dec 2013 19:08:13 +0000
From: George Theall <>
To: "<>" <>
CC: "" <>, ""
Subject: Re: Re: CVE request: monitorix: HTTP server
 'handle_request()' session fixation & XSS vulnerabilities

On Dec 10, 2013, at 12:35 PM, <> <> wrote:

> Hash: SHA1
> Yes, we recognize that is an
> additional reference. Relative to what we previously posted, existence
> of this reference does not simplify the situation, because it says
> "Two vulnerabilities have been reported" and then perhaps proceeds to
> state what only one of the vulnerabilities is. Or, alternatively,
> maybe that Secunia advisory is implicitly categorizing $target and
> $target_cgi as separate vulnerabilities.
> Does anyone wish to contribute the information about whether the first
> problem fix (involving allowable characters in the $target and
> $target_cgi variables in lib/ was part of 3.3.1, or only
> part of 3.4.0? If not, we can have someone at MITRE try to locate a
> copy of 3.3.1 later.

Older releases of Monitorix are available from , and browsing the source for 3.3.1, you will find the commit from is indeed included in that, as reflected in both the ‘Changes’ and ‘lib/’ files.

> says
>   Fixed to correctly sanitize the input string in the built-in HTTP server
>   which led into a number of security vulnerabilities. [#30]
> in both the 3.3.1 and 3.4.0 changelog entries. Also, as we previously
> posted, the vendor referred to "two security issues ... not covered
> yet in the previous 3.3.1 version" when announcing 3.4.0. We see that
> there is a second XSS-related commit involving the PATH_INFO (aka the
> $url variable) but this isn't necessarily "two security issues" by
> itself. So, we still don't know how many CVE IDs to assign, and we
> would prefer not to assign any CVE IDs until the meaning and scope of
> each ID is at least somewhat understood.
> - -- 
> CVE assignment team, MITRE CVE Numbering Authority
> M/S M300
> 202 Burlington Road, Bedford, MA 01730 USA
> [ PGP key available through ]
> Version: GnuPG v1.4.14 (SunOS)
> O0uYBMLgjBq801xz+aLF0FIhlm6Ruac3qfi7pXv+CV9OgtcHqoOuLTsnrUM4vNi/
> dCH5o3l+5aD4DMasP/Q8upSwqJl8GgUhyr78lgNRUxA/Wdje6o4+HM/v7lLLr6Hf
> uWLWndMzSzDw79R3RChz4cnXhDRYrSesBEDGdwFwN4/wRQ4Tp9WX3ocRGvhxw1fk
> 5yo789nJzL3jYhXczqcUUR50OBQREUmB7eF1Kt4wU0idumaAm3mWARxnaWoA5Xgu
> dEyHhaNpu/uml4m1NswPmar9L1hh2kOORAmoY5KyhH6y2UIPmQDEKEcSX8tenPY=
> =JnLr


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.