Skip to content
This repository has been archived by the owner. It is now read-only.

[dev.icinga.com #10453] Icinga Classic-UI 1.13.3 and older are vulnerable to XSS - CVE-2015-8010 #1563

Closed
icinga-migration opened this issue Oct 23, 2015 · 13 comments

Comments

Projects
None yet
1 participant
@icinga-migration
Copy link
Member

commented Oct 23, 2015

This issue has been migrated from Redmine: https://dev.icinga.com/issues/10453

Created by ricardo on 2015-10-23 20:24:35 +00:00

Assignee: ricardo
Status: Resolved (closed on 2015-10-30 20:10:07 +00:00)
Target Version: 1.14
Last Update: 2015-10-30 22:14:06 +00:00 (in Redmine)

Icinga Version: 1.13.3
OS Version: Linux 4.2.3

Due to my bad programming skills I introduced a XSS vulnerability in Classic-UI with the CSV export link and pagination feature.

This got originally introduced with this issue https://dev.icinga.org/issues/593 and version 1.3.

Example: http://classic.demo.icinga.org/icinga/cgi-bin/status.cgi?host=all&'onmouseover='prompt(25435);'bad='

I already wrote a fix which just needs to commitet.
Hopefully this fix can make it into 1.14.0.

Thanks to T-Systems Germany for finding it.

Cheers
Ricardo

Attachments

Changesets

2015-10-23 20:26:12 +00:00 by ricardo 5c816f5

Classic-UI: fixes a XXS vulnerability in pagination and export links #10453

Sorry guys. Due to my bad programming skills I introduced a
XSS vulnerability in Classic-UI with the CSV export link and
pagination feature. The functions parsed QUERY_STRING from
the environment without properly sanitizing it.

The getcgivars() function got a bit reworked. Once the
QUERY_STRING is read and parsed the content survives the
whole lifetime of the cgi execution and gets free’d at
the end. This way we can always build urls from valid parsed
cgi params.

I wonder why I haven't done this earlier.

Also the url param parsing in every cgi was updated and
hopefully everything works as bevor.

Refs: #10453

2015-10-30 20:05:17 +00:00 by ricardo 31dd493

Merge branch 'fix/xxs-vulnerability-in-classic-ui-10453'

fixes: #10453
fixes: CVE-2015-8010
@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Oct 23, 2015

Updated by ricardo on 2015-10-23 20:58:15 +00:00

  • Status changed from New to Assigned

Now fixed in "fix/xxs-vulnerability-in-classic-ui-10453"

@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Oct 23, 2015

Updated by ricardo on 2015-10-23 21:02:57 +00:00

Just sent out request for CVE. Will update this issue once CVE is assigned.

Cheers
Ricardo

@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Oct 23, 2015

Updated by ricardo on 2015-10-23 21:28:59 +00:00

  • Project changed from Icinga 1.x to Core, Classic UI, IDOUtils
  • Category set to Classic UI
  • Status changed from Assigned to Feedback
  • Done % changed from 50 to 90
  • Icinga Version set to 1
  • OS Version set to Linux 4.2.3
@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Oct 26, 2015

Updated by mfriedrich on 2015-10-26 08:04:42 +00:00

Please just merge it to master, you're responsible for Classic UI. I won't look into 1.x in detail, just one thing is missing for 1.14 - the IDO schema updates coming from 2.x

@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Oct 26, 2015

Updated by mfriedrich on 2015-10-26 08:18:45 +00:00

  • Status changed from Feedback to Assigned
@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Oct 26, 2015

Updated by mfriedrich on 2015-10-26 08:19:27 +00:00

Please edit the issue's subject with the CVE number once assigned. Then we may generate the changelog from redmine issues accordingly.

@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Oct 29, 2015

Updated by ricardo on 2015-10-29 19:14:21 +00:00

Hi,

still waiting for a CVE number to be assigned.

Will update and merge as soon as I get one.

Cheers
Ricardo

@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Oct 29, 2015

Updated by mfriedrich on 2015-10-29 21:31:06 +00:00

Seems it is there, go on please.
http://permalink.gmane.org/gmane.comp.security.oss.general/18053?utm\_source=twitterfeed&utm\_medium=twitter

@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Oct 30, 2015

Updated by ricardo on 2015-10-30 20:09:53 +00:00

  • Subject changed from Icinga Classic-UI 1.13.3 and older are vulnerable to XSS to Icinga Classic-UI 1.13.3 and older are vulnerable to XSS - CVE-2015-8010
  • Done % changed from 90 to 100

We got a CVE to track this issue.

CVE-2015-8010

now in current master

@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Oct 30, 2015

Updated by ricardo on 2015-10-30 20:10:07 +00:00

  • Status changed from Assigned to Resolved

Applied in changeset 31dd493.

@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Oct 30, 2015

Updated by mfriedrich on 2015-10-30 20:23:57 +00:00

Thanks. I'm planning to release 1.14 either before or after icinga2 v2.4 (ido schema compatibilty). I'll talk to the web devs if they are ready as well.

@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Oct 30, 2015

Updated by ricardo on 2015-10-30 20:55:13 +00:00

  • File added Icinga_1.11.6_fix_xxs_CVE-2015-8010.patch

And here a patch against 1.11.6 for the debian folks.

this should apply cleanly.

@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Oct 30, 2015

Updated by mfriedrich on 2015-10-30 22:14:06 +00:00

https://security-tracker.debian.org/tracker/CVE-2015-8010

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
You can’t perform that action at this time.