Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
[dev.icinga.com #5346] fix vulnerability against CSRF attacks CVE-2013-7107 #1409
This issue has been migrated from Redmine: https://dev.icinga.com/issues/5346
Created by ricardo on 2013-12-16 20:06:13 +00:00
this is a follow up to #5250
Answer from "cve-assign at mitre.org"
Because one report mentions CSRF,
We will fix the problem with these prevention suggestions. (https://www.owasp.org/index.php/Cross-Site\_Request\_Forgery\_(CSRF)\_Prevention\_Cheat\_Sheet#CSRF\_Prevention\_without\_a\_Synchronizer\_Token)
As Classic-UI is stateless, we will add a check for submitted commands and the HTTP Referrer header and/or Origin header if present.
2013-12-19 16:56:58 +00:00 by ricardo bdf8b99
2013-12-23 17:13:45 +00:00 by ricardo acb6271
2013-12-23 17:17:26 +00:00 by ricardo 6df4f60
2014-01-03 21:48:24 +00:00 by ricardo 4673556
Updated by ricardo on 2013-12-23 16:34:30 +00:00
fix in current "fix/vulnerability-against-CSRF-attacks-5346"
THIS ADDS A NEW CGI.CFG OPTION
As it adds a new configuration option and also would break compatibility with current Nagstamon and co installations it will be upstream only from 1.11 on.
Also added patches for