Bug 470842 - (CVE-2008-5028) CVE-2008-5028 nagios: CSRF vulnerability in cmd.cgi
CVE-2008-5028 nagios: CSRF vulnerability in cmd.cgi
Status: CLOSED CURRENTRELEASE
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
http://nvd.nist.gov/nvd.cfm?cvename=C...
public=20081106,reported=20081106,sou...
: Security
Depends On: 471019
Blocks:
  Show dependency treegraph
 
Reported: 2008-11-10 11:12 EST by Tomas Hoger
Modified: 2016-03-04 06:26 EST (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-03-27 04:44:13 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Ubuntu patch to fix CVE-2008-5028 (1.19 KB, patch)
2009-03-23 17:44 EDT, Vincent Danen
no flags Details | Diff

  None (edit)
Description Tomas Hoger 2008-11-10 11:12:53 EST
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-5028 to the following vulnerability:

Cross-site request forgery (CSRF) vulnerability in cmd.cgi in (1)
Nagios 3.0.5 and (2) op5 Monitor before 4.0.1 allows remote attackers
to send commands to the Nagios process, and trigger execution of
arbitrary programs by this process, via unspecified HTTP requests.

References:
http://sourceforge.net/mailarchive/forum.php?thread_name=4914396D.5010009%40op5.se&forum_name=nagios-devel
http://www.openwall.com/lists/oss-security/2008/11/06/2
http://git.op5.org/git/?p=nagios.git;a=commit;h=814d8d4d1a73f7151eeed187c0667585d79fea18
http://www.op5.com/support/news/389-important-security-fix-available-for-op5-monitor
http://secunia.com/advisories/32610
http://xforce.iss.net/xforce/xfdb/46426
Comment 1 Marc Schoenefeld 2008-11-11 05:47:47 EST
from http://www.openwall.com/lists/oss-security/2008/11/11/9: 

Date: Tue, 11 Nov 2008 11:36:00 +0100
From: Andreas Ericsson <ae@....se>
To: "Steven M. Christey" <coley@...us.mitre.org>
Subject: Re: CVE request: Nagios (two issues)

[...] 

Actually, the CSRF issue is still in Nagios 3.0.5, but can no longer
trigger execution of arbitrary programs by the Nagios process. Its
impact is thereby reduced to disabling monitoring of the network and
similar actions that can validly be requested from the Nagios process
through the GUI.

The problem is not present in op5 Monitor 4.0.1. A tar-ball containing
the fix is available at http://www.op5.org/src/nagios-3.0.5p1.tar.gz.

Thanks.

-- 
Andreas Ericsson                   andreas.ericsson@....se
OP5 AB                             www.op5.se
Tel: +46 8-230225                  Fax: +46 8-230231
Comment 4 Vincent Danen 2009-03-23 17:44:32 EDT
Created attachment 336395 [details]
Ubuntu patch to fix CVE-2008-5028

Patch to correct the issue, taken from Ubuntu (http://www.ubuntu.com/usn/USN-698-3)

Note You need to log in before you can comment on or make changes to this bug.