Bug 1038071 - (CVE-2013-7070, CVE-2013-7071, CVE-2013-7072) CVE-2013-7070 CVE-2013-7071 CVE-2013-7072 monitorix: HTTP server 'handle_request()' session fixation & XSS vulnerabilities
CVE-2013-7070 CVE-2013-7071 CVE-2013-7072 monitorix: HTTP server 'handle_requ...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20131121,repor...
: Security
Depends On: 1038073 1038074
Blocks:
  Show dependency treegraph
 
Reported: 2013-12-04 06:08 EST by Ratul Gupta
Modified: 2016-01-26 07:46 EST (History)
3 users (show)

See Also:
Fixed In Version: monitorix 3.4.0
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-12-30 21:57:20 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ratul Gupta 2013-12-04 06:08:30 EST
Monitorix, an open source system monitoring tool, was found to be vulnerable to two XSS vulnerabilities, which could allow attackers to execute arbitrary script code in a user's browser in the context of the Web server process, access sensitive data, or hijack a user's session.

The issue is that the built-in HTTP server failed to adequately sanitize request strings of malicious JavaScript. So by leveraging this issue, an attacker may be able to inject arbitrary cookies. The same issue could also cause arbitrary HTML and script code to be executed in a user's browser within the security context of the affected site. Input passed via requests to the "handle_request()" function (lib/HTTPServer.pm) is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

The issue is said to be fixed in Monitorix 3.40.

References:
http://www.securityfocus.com/bid/63913/info
http://secunia.com/advisories/55857/
http://www.monitorix.org/news.html#N340
Comment 1 Ratul Gupta 2013-12-04 06:11:44 EST
Created monitorix tracking bugs for this issue:

Affects: fedora-all [bug 1038073]
Affects: epel-6 [bug 1038074]
Comment 2 Fedora Update System 2013-12-04 22:23:49 EST
monitorix-3.4.0-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 3 Fedora Update System 2013-12-13 00:01:51 EST
monitorix-3.4.0-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 4 Fedora Update System 2013-12-13 21:50:16 EST
monitorix-3.4.0-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Murray McAllister 2014-06-17 03:04:38 EDT
Note that CVE-2013-7072 has been rejected:

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7072

No further details available at the moment
Comment 6 Murray McAllister 2014-06-17 03:37:22 EDT
(In reply to Murray McAllister from comment #5)
> Note that CVE-2013-7072 has been rejected:
> 
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7072
> 
> No further details available at the moment

Reasoning from MITRE in <http://seclists.org/oss-sec/2014/q2/541>

Note You need to log in before you can comment on or make changes to this bug.