Bug 713304 (CVE-2011-2191)

Summary: CVE-2011-2191 cherokee: CSRF and XSS vulnerabilities
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: gwolf, jlieskov, jrusnack, kurt, pavel.lisy
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-10-19 14:44:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 713306, 713307    
Bug Blocks:    

Description Vincent Danen 2011-06-14 22:25:21 UTC 
Two flaws were reported in Cherokee.

The first (CVE-2011-2191) is that the Cherokee server admin configuration web interface is vulnerable to CSRF.  If an admin is logged into the Cherokee admin interface and visits a site which runs a malicious script, Cherokee can be reconfigured to execute arbitrary commands [1].  It is also vulnerable to use the CSRF to produce a persistant XSS [2].

The second (CVE-2011-2090) is that Cherokee seeds srand with a combination of the time and the PID of the admin process, after which rand() is called to generate a random password -- this is unsafe and allows for fairly easy local password guessing by a local user [3].

[1] http://seclists.org/fulldisclosure/2011/Jun/0
[2] http://www.openwall.com/lists/oss-security/2011/06/03/6
[3] http://code.google.com/p/cherokee/issues/detail?id=1212
Comment 1 Vincent Danen 2011-06-14 22:27:05 UTC 
Created cherokee tracking bugs for this issue

Affects: fedora-all [bug 713306]
Affects: epel-all [bug 713307]
Comment 2 Kurt Seifried 2011-06-15 01:34:22 UTC 
Partial duplicate to 710471 (CVE-2011-2190)
Comment 3 Vincent Danen 2011-06-15 20:35:48 UTC 
Ahh, didn't see we had a bug for that already.  Thanks!
Comment 4 Jan Lieskovsky 2011-10-19 14:44:14 UTC 
This issue has been resolved via the following updates:
1) cherokee-1.2.101-1.fc15 for Fedora 15,
2) cherokee-1.2.101-1.fc14 for Fedora 14,
3) cherokee-1.2.101-1.el6 for Fedora EPEL 6,
4) cherokee-1.2.101-1.el5 for Fedora EPEL 5,
5) cherokee-1.2.101-1.el4 for Fedora EPEL 4.

These updated packages have been pushed to -testing repository, and upon their required testing is complete, they will be pushed to -stable repository.
Comment 5 Gunnar Wolf 2012-03-09 16:22:19 UTC 
This bug consists of two separate issues. AFAICT, the second one has been dealt with, but the first one is still open.

I am not really familiar with RedHat's workflow, but at least I have been unable to find anything fixing the CSRF bug, short of this mail sent by the upstream author, stating he has not found a way to solve it:

  http://www.openwall.com/lists/oss-security/2011/06/06/13