Bug 713304 (CVE-2011-2191) - CVE-2011-2191 cherokee: CSRF and XSS vulnerabilities
Summary: CVE-2011-2191 cherokee: CSRF and XSS vulnerabilities
Alias: CVE-2011-2191
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 713306 713307
TreeView+ depends on / blocked
Reported: 2011-06-14 22:25 UTC by Vincent Danen
Modified: 2019-09-29 12:45 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2011-10-19 14:44:14 UTC

Attachments (Terms of Use)

Description Vincent Danen 2011-06-14 22:25:21 UTC
Two flaws were reported in Cherokee.

The first (CVE-2011-2191) is that the Cherokee server admin configuration web interface is vulnerable to CSRF.  If an admin is logged into the Cherokee admin interface and visits a site which runs a malicious script, Cherokee can be reconfigured to execute arbitrary commands [1].  It is also vulnerable to use the CSRF to produce a persistant XSS [2].

The second (CVE-2011-2090) is that Cherokee seeds srand with a combination of the time and the PID of the admin process, after which rand() is called to generate a random password -- this is unsafe and allows for fairly easy local password guessing by a local user [3].

[1] http://seclists.org/fulldisclosure/2011/Jun/0
[2] http://www.openwall.com/lists/oss-security/2011/06/03/6
[3] http://code.google.com/p/cherokee/issues/detail?id=1212

Comment 1 Vincent Danen 2011-06-14 22:27:05 UTC
Created cherokee tracking bugs for this issue

Affects: fedora-all [bug 713306]
Affects: epel-all [bug 713307]

Comment 2 Kurt Seifried 2011-06-15 01:34:22 UTC
Partial duplicate to 710471 (CVE-2011-2190)

Comment 3 Vincent Danen 2011-06-15 20:35:48 UTC
Ahh, didn't see we had a bug for that already.  Thanks!

Comment 4 Jan Lieskovsky 2011-10-19 14:44:14 UTC
This issue has been resolved via the following updates:
1) cherokee-1.2.101-1.fc15 for Fedora 15,
2) cherokee-1.2.101-1.fc14 for Fedora 14,
3) cherokee-1.2.101-1.el6 for Fedora EPEL 6,
4) cherokee-1.2.101-1.el5 for Fedora EPEL 5,
5) cherokee-1.2.101-1.el4 for Fedora EPEL 4.

These updated packages have been pushed to -testing repository, and upon their required testing is complete, they will be pushed to -stable repository.

Comment 5 Gunnar Wolf 2012-03-09 16:22:19 UTC
This bug consists of two separate issues. AFAICT, the second one has been dealt with, but the first one is still open.

I am not really familiar with RedHat's workflow, but at least I have been unable to find anything fixing the CSRF bug, short of this mail sent by the upstream author, stating he has not found a way to solve it:


Note You need to log in before you can comment on or make changes to this bug.