Bug 748072 (CVE-2011-4024)

Summary: CVE-2011-4024 ocsinventory: XSS flaw
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: fedora, jlieskov, xavier
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-03-22 01:47:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Vincent Danen 2011-10-21 22:20:34 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2011-4024 to
the following vulnerability:

Name: CVE-2011-4024
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4024
Assigned: 20111006
Reference: EXPLOIT-DB:18005
Reference: http://www.exploit-db.com/exploits/18005
Reference: http://www.ocsinventory-ng.org/fr/accueil/nouvelles/version-2-0-2-stable.html
Reference: http://www.securityfocus.com/bid/50011
Reference: OSVDB:76135
Reference: http://osvdb.org/76135
Reference: SECUNIA:46311
Reference: http://secunia.com/advisories/46311
Reference: XF:ocsinventoryng-unspecified-xss(70406)
Reference: http://xforce.iss.net/xforce/xfdb/70406

Cross-site scripting (XSS) vulnerability in ocsinventory in OCS
Inventory NG 2.0.1 and earlier allows remote attackers to inject
arbitrary web script or HTML via unspecified vectors.

Comment 1 Vincent Danen 2011-10-21 22:23:14 UTC
I'm not sure that this affects Fedora (as we ship 1.3.3).  Unfortunately, I am completely unable to find any patch for this and the upstream web site is really unhelpful.  Since there is no contact info on the site, I'm currently trying to find someone on IRC who may have further information.

Comment 2 Remi Collet 2011-10-22 07:58:46 UTC
Bug also affects version 1.3.3.

As an upgrade to 2.0.2 is not immediately possible (major code changes, bundled libraires, ...) I have wrote a patch, inspired from 2.0.2 fix.

I'm waiting for upstream feedback and will push a quick update soon.

About this issue, GLPI, when synchronized with OCS, is not affected (data are properly cleaned  before insert in the GLPI DB).

Comment 3 Jan Lieskovsky 2011-10-25 13:39:07 UTC
This issue affects the versions of the ocsinventory package, as shipped with Fedora release of 14 and 15.

--

This issue affects the versions of the ocsinventory package, as shipped within Fedora EPEL 4, Fedora EPEL 5 and Fedora EPEL 6 repositories.

Comment 4 Jan Lieskovsky 2011-10-25 13:46:45 UTC
This issue has been scheduled to be corrected in the following updates:
1) ocsinventory-1.3.3-5.fc16,
2) ocsinventory-1.3.3-5.fc15,
3) ocsinventory-1.3.3-5.fc14,
4) ocsinventory-1.3.3-5.el6,
5) ocsinventory-1.3.3-5.el5,
6) ocsinventory-1.3.3-5.el4.

The above packages have been pushed to particular -testing repositories, and upon required level of testing they will be pushed to -stable repositories.

Comment 5 Jan Lieskovsky 2011-10-25 13:50:04 UTC
Relevant upstream patches for the server code (thanks to Remi Collet for providing those):

[1] http://bazaar.launchpad.net/~ocsinventory-core/ocsinventory-ocsreports/stable-2.0/revision/789
[2] http://bazaar.launchpad.net/~ocsinventory-core/ocsinventory-ocsreports/stable-2.0/revision/792

Comment 6 Fedora Update System 2011-11-05 01:18:37 UTC
ocsinventory-1.3.3-5.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 Fedora Update System 2011-11-14 00:52:03 UTC
ocsinventory-1.3.3-5.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2011-11-14 00:53:47 UTC
ocsinventory-1.3.3-5.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2011-11-14 18:56:58 UTC
ocsinventory-1.3.3-5.el4 has been pushed to the Fedora EPEL 4 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Fedora Update System 2011-11-14 18:57:25 UTC
ocsinventory-1.3.3-5.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2011-11-14 18:57:37 UTC
ocsinventory-1.3.3-5.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.