So it's a none issue because an attacker will not have the correct
information?
Social engineering falls into "not my problem" for the developers?
On 6/1/2011 11:16 AM, Jędrzej Nowak wrote:
The attack is not that easy as it looks like:
#1 you need to have admin on localhost:9090 (or any other known combination)
#2 you need to visit infected page (from the same browser - because
there is user/password protection)
#3 you need to submit 2 forms (with fake data) => one for changing
values, second for 'apply'.
#4 you need to know the current cherokee structure (otherwise
cherokee-admin will refuse it)
Greetings,
Jędrzej Nowak
On Wed, Jun 1, 2011 at 5:21 PM, Mini IT<[email protected]> wrote:
Out of curiosity why is this not an issue?
I would think the ability to reconfigure and execute arbitrary commands on a
server is a pretty big issue even if the chance of it happening is slim..
http://seclists.org/fulldisclosure/2011/Jun/0
"Vendor response: "This isn't an issue."
Problem: the cherokee server admin configuration web interface is
vulnerable to csrf.
Impact: if an admin is logged into the cherokee admin interface and
visits a site which runs "bad tm scripts" cherokee can be reconfigured
to run as $user and set log handlers(hooks) to execute arbitrary
commands (on error and on access)."
_______________________________________________
Cherokee mailing list
[email protected]
http://lists.octality.com/listinfo/cherokee
_______________________________________________
Cherokee mailing list
[email protected]
http://lists.octality.com/listinfo/cherokee
