fix vulnerability against CSRF attacks CVE-2013-7107
|Target version:||Icinga 1.x - 1.11|
|Icinga Version:||1.10.2||OS Version:||any|
this is a follow up to #5250
Answer from "cve-assign at mitre.org"
Because one report mentions CSRF,
our expectation is that some type of CSRF impact would
remain even after the buffer overflows were fixed.
We will fix the problem with these prevention suggestions. (https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#CSRF_Prevention_without_a_Synchronizer_Token)
As Classic-UI is stateless, we will add a check for submitted commands and the HTTP Referrer header and/or Origin header if present.
classic-ui: fix vulnerability against CSRF attacks CVE-2013-7107 #5346
This is the fix for CVE-2013-7107. From now on the HTTP referer gets
checked if the request of cmd.cgi actually comes from cmd.cgi.
Otherwise the request will be rejected and the user be notified if
possible. Also a new cgi.cfg option "disable_cmd_cgi_csrf_protection"
got added to disable the protection and allow external programs to
Merge branch 'fix/vulnerability-against-CSRF-attacks-5346' into next
#1 Updated by ricardo almost 3 years ago
- File 0001-classic-ui-fix-vulnerability-against-CSRF-attacks-CVE-2013-7107_1.8.5.patch added
- File 0001-classic-ui-fix-vulnerability-against-CSRF-attacks-CVE-2013-7107_1.9.4.patch added
- File 0001-classic-ui-fix-vulnerability-against-CSRF-attacks-CVE-2013-7107_1.10.2.patch added
- Assignee set to ricardo
- % Done changed from 0 to 80
fix in current "fix/vulnerability-against-CSRF-attacks-5346"
THIS ADDS A NEW CGI.CFG OPTION
As it adds a new configuration option and also would break compatibility with current Nagstamon and co installations it will be upstream only from 1.11 on.
# DISABLE CMD CGI CSRF PROTECTION # This option disables the protection against CSRF attacks # (Cross-Site Request Forgery). Use this option only if you are # using external programs (like Nagstamon) which access # cmd.cgi directly to submit commands. By default the submitted # command (via external program) will be rejected. # The default is 0 (protection is on). disable_cmd_cgi_csrf_protection=0Also added patches for
#2 Updated by ricardo over 2 years ago
- Status changed from New to Resolved
- % Done changed from 80 to 100
Applied in changeset icinga-core:6df4f60d166e826815d7cfda6697744c921b840f.