Skip to content
This repository has been archived by the owner. It is now read-only.

[ #5346] fix vulnerability against CSRF attacks CVE-2013-7107 #1409

icinga-migration opened this issue Dec 16, 2013 · 3 comments


Copy link

@icinga-migration icinga-migration commented Dec 16, 2013

This issue has been migrated from Redmine:

Created by ricardo on 2013-12-16 20:06:13 +00:00

Assignee: ricardo
Status: Resolved (closed on 2013-12-30 16:53:50 +00:00)
Target Version: 1.11
Last Update: 2014-12-08 09:21:45 +00:00 (in Redmine)

Icinga Version: 1.10.2
OS Version: any

this is a follow up to #5250

Answer from "cve-assign at"

Because one report mentions CSRF,
our expectation is that some type of CSRF impact would
remain even after the buffer overflows were fixed.

We will fix the problem with these prevention suggestions. (\_Request\_Forgery\_(CSRF)\_Prevention\_Cheat\_Sheet#CSRF\_Prevention\_without\_a\_Synchronizer\_Token)

As Classic-UI is stateless, we will add a check for submitted commands and the HTTP Referrer header and/or Origin header if present.



2013-12-19 16:56:58 +00:00 by ricardo bdf8b99

classic-ui: fix vulnerability against CSRF attacks CVE-2013-7107 #5346

This is the fix for CVE-2013-7107. From now on the HTTP referer gets
checked if the request of cmd.cgi actually comes from cmd.cgi.
Otherwise the request will be rejected and the user be notified if
possible. Also a new cgi.cfg option "disable_cmd_cgi_csrf_protection"
got added to disable the protection and allow external programs to
submit commands.

refs: #5346

2013-12-23 17:13:45 +00:00 by ricardo acb6271

classic-ui: add change entry in Changelog #5346

refs: #5346

2013-12-23 17:17:26 +00:00 by ricardo 6df4f60

Merge branch 'fix/vulnerability-against-CSRF-attacks-5346' into next


fixes: #5346

2014-01-03 21:48:24 +00:00 by ricardo 4673556

classic-ui: added new config option to config.cgi #5346

refs: #5346

This comment has been minimized.

Copy link
Member Author

@icinga-migration icinga-migration commented Dec 23, 2013

Updated by ricardo on 2013-12-23 16:34:30 +00:00

  • File added 0001-classic-ui-fix-vulnerability-against-CSRF-attacks-CVE-2013-7107_1.8.5.patch
  • File added 0001-classic-ui-fix-vulnerability-against-CSRF-attacks-CVE-2013-7107_1.9.4.patch
  • File added 0001-classic-ui-fix-vulnerability-against-CSRF-attacks-CVE-2013-7107_1.10.2.patch
  • Assigned to set to ricardo
  • Done % changed from 0 to 80

fix in current "fix/vulnerability-against-CSRF-attacks-5346"


As it adds a new configuration option and also would break compatibility with current Nagstamon and co installations it will be upstream only from 1.11 on.

cfg.cgi description:

# This option disables the protection against CSRF attacks
# (Cross-Site Request Forgery). Use this option only if you are
# using external programs (like Nagstamon) which access
# cmd.cgi directly to submit commands. By default the submitted
# command (via external program) will be rejected.
# The default is 0 (protection is on).


Also added patches for

  • 1.10.2
  • 1.9.4
  • 1.8.5

This comment has been minimized.

Copy link
Member Author

@icinga-migration icinga-migration commented Dec 30, 2013

Updated by ricardo on 2013-12-30 16:53:50 +00:00

  • Status changed from New to Resolved
  • Done % changed from 80 to 100

Applied in changeset icinga-core:6df4f60d166e826815d7cfda6697744c921b840f.


This comment has been minimized.

Copy link
Member Author

@icinga-migration icinga-migration commented Dec 8, 2014

Updated by mfriedrich on 2014-12-08 09:21:45 +00:00

  • Project changed from 19 to Core, Classic UI, IDOUtils
  • Category set to Classic UI
  • OS Version set to any
@icinga-migration icinga-migration added this to the 1.11 milestone Jan 17, 2017
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
1 participant
You can’t perform that action at this time.