Bug 1115983 (CVE-2014-4908)

Summary: CVE-2014-4908 pnp4nagios: Two URL Cross-Site Scripting Vulnerabilities
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: carnil, jrusnack, ondrejj, redhat
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-10-02 08:42:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1115984, 1115985    
Bug Blocks:    

Description Vasyl Kaigorodov 2014-07-03 13:04:23 UTC 
Two vulnerabilities have been reported in PNP4Nagios, which can be exploited by malicious people to conduct cross-site scripting attacks.

1) Input appended to the URL is not properly sanitised in "views/kohana_error_page.php" before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

2) Input appended to the URL is not properly sanitised in "views/template.php" before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Solution:
Fixed in the GIT repository.

Original Advisory:
PNP4Nagios:
https://github.com/lingej/pnp4nagios/commit/e4a19768a5c5e5b1276caf3dd5bb721a540ec014
https://github.com/lingej/pnp4nagios/commit/cb925073edeeb97eb4ce61a86cdafccc9b87f9bb

Gentoo bugreport:
https://bugs.gentoo.org/show_bug.cgi?id=516140

CVE request sent to oss-security.
Comment 1 Vasyl Kaigorodov 2014-07-03 13:04:54 UTC 
Created pnp4nagios tracking bugs for this issue:

Affects: epel-all [bug 1115984]
Affects: fedora-all [bug 1115985]
Comment 2 Vasyl Kaigorodov 2014-07-11 10:32:03 UTC 
CVE-2014-4740 was REJECTED: http://seclists.org/oss-sec/2014/q3/140
Correct CVE ID for this is CVE-2014-4908
Comment 3 Fedora Update System 2014-07-14 00:53:39 UTC 
pnp4nagios-0.6.22-2.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 4 Fedora Update System 2014-07-14 00:54:42 UTC 
pnp4nagios-0.6.22-2.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2014-07-20 17:59:28 UTC 
pnp4nagios-0.6.22-2.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Jan ONDREJ 2014-10-01 11:13:20 UTC 
I don't understand. pnp4nagios has been already released in Fedora. Is this still a bug? Do you have some patches? If it's not a bug in Fedora, why this bug has been reopened?
Comment 7 Jan ONDREJ 2014-10-02 08:42:24 UTC 
Update already in stable. Closing. Please reopen if you think problem is still here.