Bug 437320 (CVE-2008-0893) - CVE-2008-0893 Directory Server: unrestricted access to CGI scripts
Summary: CVE-2008-0893 Directory Server: unrestricted access to CGI scripts
Alias: CVE-2008-0893
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Whiteboard: source=redhat,reported=20080312,publi...
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2008-03-13 15:22 UTC by Tomas Hoger
Modified: 2011-09-30 01:20 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2011-09-30 01:20:05 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
cvs commit log (1.78 KB, text/plain)
2008-04-15 16:52 UTC, Rich Megginson
no flags Details

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2008:0201 normal SHIPPED_LIVE Critical: redhat-ds-admin security update 2008-04-15 21:10:43 UTC

Description Tomas Hoger 2008-03-13 15:22:33 UTC
Richard Megginson discovered that Admin Server as used by Red Hat Directory
Server 8 and Fedora Directory Server does not properly restrict access to CGI
scripts.  This could allow unauthenticated user to get access to information or
perform tasks that should be restricted to authenticated administrative users.

Comment 8 Rich Megginson 2008-04-15 16:52:29 UTC
Created attachment 302493 [details]
cvs commit log

Resolves: bugs 437301 and 437320
Description: Directory Server: shell command injection in CGI replication
Directory Server: unrestricted access to CGI scripts
Fix Description: remove ScriptAlias for bin/admin/admin/bin - do not use that
directory for CGI URIs - use only protected URIs for CGIs requiring
Remove most CGI parameters from repl-monitor-cgi.pl - user must supply
replmon.conf in the admin server config directory instead of passing in this
pathname - repl-monitor-cgi.pl does not use system to call repl-monitor.pl, it
"includes" that script (using perl import).
Platforms tested: all supported platforms
Flag Day: no
Doc impact: release notes are available

Comment 9 Tomas Hoger 2008-04-15 20:51:04 UTC
Lifting embargo.

Comment 10 Fedora Update System 2008-04-22 00:01:57 UTC
fedora-ds-admin-1.1.4-1.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2008-04-22 00:02:28 UTC
fedora-ds-admin-1.1.4-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 Rich Megginson 2008-06-09 15:43:23 UTC
Checking in adminserver/admserv/cfgstuff/admserv.conf.in;
/cvs/dirsec/adminserver/admserv/cfgstuff/admserv.conf.in,v  <--  admserv.conf.in
new revision: 1.11; previous revision: 1.10
Checking in adminserver/admserv/cgi-src40/repl-monitor-cgi.pl.in;
/cvs/dirsec/adminserver/admserv/cgi-src40/repl-monitor-cgi.pl.in,v  <-- 
new revision: 1.2; previous revision: 1.1

Comment 13 Kurt Seifried 2011-09-30 01:20:05 UTC
This issue has been addressed in following products:

  Red Hat Directory Server v8 EL4
  Red Hat Directory Server v8 EL5
Via RHSA-2008:0201 available at https://rhn.redhat.com/errata/RHSA-2008-0201.html

Note You need to log in before you can comment on or make changes to this bug.