Bug 437301 (CVE-2008-0892) - CVE-2008-0892 Director Server: shell command injection in CGI replication monitor
Summary: CVE-2008-0892 Director Server: shell command injection in CGI replication mon...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2008-0892
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 442679
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-03-13 14:17 UTC by Tomas Hoger
Modified: 2019-09-29 12:24 UTC (History)
5 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2015-08-22 16:54:35 UTC
Embargoed:

Attachments (Terms of Use)
cvs commit log - 8.0 changes (1.78 KB, text/plain)
2008-04-15 16:53 UTC, Rich Megginson 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2008:0199 0 normal SHIPPED_LIVE Important: Red Hat Directory Server 7.1 Service Pack 5 security update 2008-04-15 21:10:47 UTC
Red Hat Product Errata RHSA-2008:0201 0 normal SHIPPED_LIVE Critical: redhat-ds-admin security update 2008-04-15 21:10:43 UTC

Description Tomas Hoger 2008-03-13 14:17:05 UTC 
Richard Megginson discovered a shell command injection flaw in the Admin
Server's replication monitor CGI perl script repl-monitor-cgi.pl.  Script
parameters were not properly sanitized prior to being passed to system()
function.  An attacker able to access replication monitor CGI script could
execute arbitrary shell command with privileges of Admin Server.

Affected versions:
- Red Hat Directory Server 7.1
  - Admin Server runs with root privileges
- Red Hat Directory Server 8
  - Admin Server runs under an unprivileged user, following users by default:
    - nobody on Red Hat Enterprise Linux and Solaris
    - daemon on HP-UX
- Fedora Directory Server
  - Admin Server runs under an unprivileged user, nobody by default
Comment 3 Mark J. Cox 2008-03-14 11:29:37 UTC 
For RHDS7.1:
cvss2=7.7/AV:A/AC:L/Au:S/C:C/I:C/A:C

For RHDS8 and FDS8 the CVSSv2 score is lowered to 
cvss2=5.2/AV:A/AC:L/Au:S/C:P/I:P/A:P
Comment 11 Rich Megginson 2008-04-15 16:53:03 UTC 
Created attachment 302494 [details]
cvs commit log - 8.0 changes

Resolves: bugs 437301 and 437320
Description: Directory Server: shell command injection in CGI replication
monitor
Directory Server: unrestricted access to CGI scripts
Fix Description: remove ScriptAlias for bin/admin/admin/bin - do not use that
directory for CGI URIs - use only protected URIs for CGIs requiring
authentication
Remove most CGI parameters from repl-monitor-cgi.pl - user must supply
replmon.conf in the admin server config directory instead of passing in this
pathname - repl-monitor-cgi.pl does not use system to call repl-monitor.pl, it
"includes" that script (using perl import).
Platforms tested: all supported platforms
Flag Day: no
Doc impact: release notes are available
Comment 12 Tomas Hoger 2008-04-15 20:50:54 UTC 
Lifting embargo.
Comment 14 Fedora Update System 2008-04-22 00:01:54 UTC 
fedora-ds-admin-1.1.4-1.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 15 Fedora Update System 2008-04-22 00:02:26 UTC 
fedora-ds-admin-1.1.4-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 16 Rich Megginson 2008-06-09 15:44:42 UTC 
Checking in adminserver/admserv/cfgstuff/admserv.conf.in;
/cvs/dirsec/adminserver/admserv/cfgstuff/admserv.conf.in,v  <--  admserv.conf.in
new revision: 1.11; previous revision: 1.10
done
Checking in adminserver/admserv/cgi-src40/repl-monitor-cgi.pl.in;
/cvs/dirsec/adminserver/admserv/cgi-src40/repl-monitor-cgi.pl.in,v  <-- 
repl-monitor-cgi.pl.in
new revision: 1.2; previous revision: 1.1
done
Note You need to log in before you can comment on or make changes to this bug.