Bug 437301 (CVE-2008-0892)
| Summary: | CVE-2008-0892 Director Server: shell command injection in CGI replication monitor | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> | ||||
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
| Status: | CLOSED ERRATA | QA Contact: | |||||
| Severity: | high | Docs Contact: | |||||
| Priority: | high | ||||||
| Version: | unspecified | CC: | benl, bressers, mharmsen, rmeggins, security-response-team | ||||
| Target Milestone: | --- | Keywords: | Security | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2015-08-22 16:54:35 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | 442679 | ||||||
| Bug Blocks: | |||||||
| Attachments: |
|
||||||
For RHDS7.1: cvss2=7.7/AV:A/AC:L/Au:S/C:C/I:C/A:C For RHDS8 and FDS8 the CVSSv2 score is lowered to cvss2=5.2/AV:A/AC:L/Au:S/C:P/I:P/A:P Created attachment 302494 [details]
cvs commit log - 8.0 changes
Resolves: bugs 437301 and 437320
Description: Directory Server: shell command injection in CGI replication
monitor
Directory Server: unrestricted access to CGI scripts
Fix Description: remove ScriptAlias for bin/admin/admin/bin - do not use that
directory for CGI URIs - use only protected URIs for CGIs requiring
authentication
Remove most CGI parameters from repl-monitor-cgi.pl - user must supply
replmon.conf in the admin server config directory instead of passing in this
pathname - repl-monitor-cgi.pl does not use system to call repl-monitor.pl, it
"includes" that script (using perl import).
Platforms tested: all supported platforms
Flag Day: no
Doc impact: release notes are available
Lifting embargo. fedora-ds-admin-1.1.4-1.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report. fedora-ds-admin-1.1.4-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report. Checking in adminserver/admserv/cfgstuff/admserv.conf.in; /cvs/dirsec/adminserver/admserv/cfgstuff/admserv.conf.in,v <-- admserv.conf.in new revision: 1.11; previous revision: 1.10 done Checking in adminserver/admserv/cgi-src40/repl-monitor-cgi.pl.in; /cvs/dirsec/adminserver/admserv/cgi-src40/repl-monitor-cgi.pl.in,v <-- repl-monitor-cgi.pl.in new revision: 1.2; previous revision: 1.1 done |
Richard Megginson discovered a shell command injection flaw in the Admin Server's replication monitor CGI perl script repl-monitor-cgi.pl. Script parameters were not properly sanitized prior to being passed to system() function. An attacker able to access replication monitor CGI script could execute arbitrary shell command with privileges of Admin Server. Affected versions: - Red Hat Directory Server 7.1 - Admin Server runs with root privileges - Red Hat Directory Server 8 - Admin Server runs under an unprivileged user, following users by default: - nobody on Red Hat Enterprise Linux and Solaris - daemon on HP-UX - Fedora Directory Server - Admin Server runs under an unprivileged user, nobody by default