Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 10 Dec 2013 12:19:23 +0000
From: George Theall <>
To: "<>" <>
CC: "" <>, ""
Subject: Re: CVE request: monitorix: HTTP server
 'handle_request()' session fixation & XSS vulnerabilities

On Dec 9, 2013, at 6:43 PM, wrote:

> Also, says "The remote
> host is running GoScript. The installed version fails to properly
> sanitize user-supplied input to the 'go.cgi' script. An
> unauthenticated, remote attacker could exploit this flaw to execute
> arbitrary commands on the remote host." This is apparently a 2004
> issue but does not have a CVE ID. Monitorix 3.3.1 apparently has a
> patch for it.

FYI - while this vulnerability in Monitorix was flagged by a plugin in Nessus that tests for the GoScript’s go.cgi script code execution issue, our research verified that the issue is different. Monitorix doesn’t include GoScript or even have a script named go.cgi.  The issue in Monitorix arises because of code in the ‘handle_request()’ function in its ‘lib/’, which fails to sanitize the target_cgi value before using it in a Perl 'open()' call; 

                         ----- snip, snip, snip ——
        my $url = $cgi->path_info();
        $target = $url;
        while() {
                my $cur = length($target);
                $target =~ s/\.\.\///;
                $target =~ s/^\///;
                $target =~ s/\/$//;
                last unless $cur ne length($target);
        $target = $target_cgi = "/$target”;

        $target =~ s/^$base_url//;        # removes the 'base_url' part
        $target_cgi =~ s/^$base_cgi//;        # removes the 'base_cgi' part
        if(!$target || $target eq $base_url) {
                $target = "index.html" unless $target;
        ($mimetype) = ($target =~ m/.*\.(html|cgi|png)$/);

        $target =~ s/^\///;                # removes leading slash
        $target_cgi =~ s/^\///;                # removes leading slash
        if($target_cgi eq "monitorix.cgi") {
                open(EXEC, "./$target_cgi |");
                @data = <EXEC>;
        } elsif($target) {
                if(open(IN, $target)) {
                        @data = <IN>;

                         ----- snip, snip, snip ——

The issue was fixed in this commit -


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.