Bug 1038071 (CVE-2013-7070, CVE-2013-7071, CVE-2013-7072)

Summary: CVE-2013-7070 CVE-2013-7071 CVE-2013-7072 monitorix: HTTP server 'handle_request()' session fixation & XSS vulnerabilities
Product: [Other] Security Response Reporter: Ratul Gupta <ratulg>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: cickumqt, jrusnack, mmcallis
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: monitorix 3.4.0 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-12-31 02:57:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1038073, 1038074    
Bug Blocks:    

Description Ratul Gupta 2013-12-04 11:08:30 UTC
Monitorix, an open source system monitoring tool, was found to be vulnerable to two XSS vulnerabilities, which could allow attackers to execute arbitrary script code in a user's browser in the context of the Web server process, access sensitive data, or hijack a user's session.

The issue is that the built-in HTTP server failed to adequately sanitize request strings of malicious JavaScript. So by leveraging this issue, an attacker may be able to inject arbitrary cookies. The same issue could also cause arbitrary HTML and script code to be executed in a user's browser within the security context of the affected site. Input passed via requests to the "handle_request()" function (lib/HTTPServer.pm) is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

The issue is said to be fixed in Monitorix 3.40.

References:
http://www.securityfocus.com/bid/63913/info
http://secunia.com/advisories/55857/
http://www.monitorix.org/news.html#N340

Comment 1 Ratul Gupta 2013-12-04 11:11:44 UTC
Created monitorix tracking bugs for this issue:

Affects: fedora-all [bug 1038073]
Affects: epel-6 [bug 1038074]

Comment 2 Fedora Update System 2013-12-05 03:23:49 UTC
monitorix-3.4.0-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 3 Fedora Update System 2013-12-13 05:01:51 UTC
monitorix-3.4.0-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 4 Fedora Update System 2013-12-14 02:50:16 UTC
monitorix-3.4.0-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 5 Murray McAllister 2014-06-17 07:04:38 UTC
Note that CVE-2013-7072 has been rejected:

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7072

No further details available at the moment

Comment 6 Murray McAllister 2014-06-17 07:37:22 UTC
(In reply to Murray McAllister from comment #5)
> Note that CVE-2013-7072 has been rejected:
> 
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7072
> 
> No further details available at the moment

Reasoning from MITRE in <http://seclists.org/oss-sec/2014/q2/541>