Bug 471009 (CVE-2007-6420) - CVE-2007-6420 mod_proxy_balancer CSRF
Summary: CVE-2007-6420 mod_proxy_balancer CSRF
Alias: CVE-2007-6420
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://nvd.nist.gov/nvd.cfm?cvename=C...
Depends On:
TreeView+ depends on / blocked
Reported: 2008-11-11 11:25 UTC by Mark J. Cox
Modified: 2021-11-12 19:47 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A cross-site request forgery issue was found in the mod_proxy_balancer module. A remote attacker could cause a denial of service if mod_proxy_balancer is enabled and an authenticated user is targeted. (CVE-2007-6420)
Clone Of:
Last Closed: 2010-12-20 17:10:58 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2008:0966 0 normal SHIPPED_LIVE Moderate: Red Hat Application Stack v2.2 security and enhancement update 2009-02-24 16:07:19 UTC

Description Mark J. Cox 2008-11-11 11:25:13 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2007-6420 to the following vulnerability:

Cross-site request forgery (CSRF) vulnerability in the balancer-manager in mod_proxy_balancer for Apache HTTP Server 2.2.x allows remote attackers to gain privileges via unspecified vectors.

Comment 2 Mark J. Cox 2008-11-11 11:33:45 UTC
mod_proxy_balancer is shipped in Red Hat Enterprise Linux 5 and Red Hat Application Stack v2.  

We do not plan on correcting this issue in Red Hat Enterprise Linux 5 as it poses a very low security risk:  The balancer manager is not enabled by default, the user targeted by the CSRF would need to be authenticated, and the consequences of an exploit would be limited to a web server denial of service.

We plan on updating to a new upstream version of Apache shipped in Application Stack v2, which will cause this issue to be addressed.

Comment 3 Hrunting Johnson 2010-09-17 14:48:02 UTC
The problem with not fixing this problem (and many others that Redhat deems too low a priority to fix) is that the PCI standards committee has deemed the vulnerability to be severe enough to affect PCI-DSS standards compliance.  As a vendor that takes credit cards, we can't achieve PCI compliance running Redhat enterprise software.  It's especially troubling that there is a patch available, so Redhat's work has been done for them.

Can you please reconsider this decision (I understand it's about two years too late) and others you make like this?  It's tough being told that your vendor-supplied security fixes aren't good enough to patch a common vulnerability assessment standard.

Comment 4 Vincent Danen 2010-12-20 17:10:58 UTC
Hi there.  This isn't something we intend to fix in a security erratum due to the rationale noted by Mark above.  However, you can open a ticket with GSS and request that it gets corrected in the next quarterly update.  That could very well solve the issue for you.

Note that is has been fixed in Stacks v2 already, via https://rhn.redhat.com/errata/RHSA-2008-0966.html.

Note You need to log in before you can comment on or make changes to this bug.