The attack is not that easy as it looks like: #1 you need to have admin on localhost:9090 (or any other known combination) #2 you need to visit infected page (from the same browser - because there is user/password protection) #3 you need to submit 2 forms (with fake data) => one for changing values, second for 'apply'. #4 you need to know the current cherokee structure (otherwise cherokee-admin will refuse it)
Greetings, Jędrzej Nowak On Wed, Jun 1, 2011 at 5:21 PM, Mini IT <[email protected]> wrote: > Out of curiosity why is this not an issue? > I would think the ability to reconfigure and execute arbitrary commands on a > server is a pretty big issue even if the chance of it happening is slim.. > > http://seclists.org/fulldisclosure/2011/Jun/0 > "Vendor response: "This isn't an issue." > > Problem: the cherokee server admin configuration web interface is > vulnerable to csrf. > > Impact: if an admin is logged into the cherokee admin interface and > visits a site which runs "bad tm scripts" cherokee can be reconfigured > to run as $user and set log handlers(hooks) to execute arbitrary > commands (on error and on access)." > _______________________________________________ > Cherokee mailing list > [email protected] > http://lists.octality.com/listinfo/cherokee > _______________________________________________ Cherokee mailing list [email protected] http://lists.octality.com/listinfo/cherokee
