Hello community, here is the log from the commit of package icinga for openSUSE:Factory checked in at 2014-02-11 11:58:02 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/icinga (Old) and /work/SRC/openSUSE:Factory/.icinga.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "icinga" Changes: -------- --- /work/SRC/openSUSE:Factory/icinga/icinga.changes 2014-01-23 15:45:22.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.icinga.new/icinga.changes 2014-02-11 11:58:04.000000000 +0100 @@ -1,0 +2,5 @@ +Tue Feb 4 12:37:59 UTC 2014 - thardeck@suse.com + +- added 0001-classic-ui-fix-CVE-2013-7107.patch - fixed vulnerability against CSRF attacks CVE-2013-7107 (bnc#859424) + +------------------------------------------------------------------- New: ---- 0001-classic-ui-fix-CVE-2013-7107.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ icinga.spec ++++++ --- /var/tmp/diff_new_pack.VCmpk5/_old 2014-02-11 11:58:05.000000000 +0100 +++ /var/tmp/diff_new_pack.VCmpk5/_new 2014-02-11 11:58:05.000000000 +0100 @@ -46,6 +46,8 @@ Patch0: icinga-add-ifdefine-to-apache.patch # PATCH-FIX-OPENSUSE icinga-fix-create-mysql-script.patch Patch1: icinga-fix-create-mysql-script.patch +# PATCH-FIX-UPSTREAM 0001-classic-ui-fix-CVE-2013-7107.patch bnc#859424 +Patch2: 0001-classic-ui-fix-CVE-2013-7107.patch Provides: monitoring_daemon BuildRequires: apache2-devel BuildRequires: nagios-rpm-macros >= 0.08 @@ -254,6 +256,7 @@ %setup -q %patch0 -p1 %patch1 -p1 +%patch2 -p1 # remove GPLv3+ source files which are not needed for this package rm "t-tap/"*.c ++++++ 0001-classic-ui-fix-CVE-2013-7107.patch ++++++
From 9e9b6a5f26dfcf255fb63bf2326e23a40796f982 Mon Sep 17 00:00:00 2001 From: Ricardo Bartels
Date: Mon, 23 Dec 2013 17:22:10 +0100 Subject: [PATCH] classic-ui: fix vulnerability against CSRF attacks CVE-2013-7107 #5346
This is the fix for CVE-2013-7107. From now on the HTTP referer gets checked if the request of cmd.cgi actually comes from cmd.cgi. Otherwise the request will be rejected and the user be notified if possible. Also a new cgi.cfg option "disable_cmd_cgi_csrf_protection" got added to disable the protection and allow external programs to submit commands. backported to 1.10.2 refs: #5346 --- cgi/cgiutils.c | 4 ++++ cgi/cmd.c | 17 +++++++++++++++++ sample-config/cgi.cfg.in | 12 ++++++++++++ .../updates/cgi.cfg_added_1.10.2_to_1.10.2p1.cfg | 17 +++++++++++++++++ 4 files changed, 50 insertions(+) create mode 100644 sample-config/updates/cgi.cfg_added_1.10.2_to_1.10.2p1.cfg diff --git a/cgi/cgiutils.c b/cgi/cgiutils.c index 2cc5908..e909336 100644 --- a/cgi/cgiutils.c +++ b/cgi/cgiutils.c @@ -184,6 +184,7 @@ int add_notif_num_hard = 0; int add_notif_num_soft = 0; int enforce_comments_on_actions = FALSE; int week_starts_on_monday = FALSE; +int disable_cmd_cgi_csrf_protection = FALSE; int show_partial_hostgroups = FALSE; int show_partial_servicegroups = FALSE; @@ -691,6 +692,9 @@ int read_cgi_config_file(char *filename) { else if (!strcmp(var, "display_status_totals")) display_status_totals = (atoi(val) > 0) ? TRUE : FALSE; + else if (!strcmp(var, "disable_cmd_cgi_csrf_protection")) + disable_cmd_cgi_csrf_protection = (atoi(val) > 0) ? TRUE : FALSE; + else if (!strcmp(var, "authorization_config_file")) { authorization_config_file = strdup(val); strip(authorization_config_file); diff --git a/cgi/cmd.c b/cgi/cmd.c index e8b3e41..cce3581 100644 --- a/cgi/cmd.c +++ b/cgi/cmd.c @@ -38,6 +38,7 @@ #include "../include/cgiutils.h" #include "../include/cgiauth.h" #include "../include/getcgi.h" +#include "../include/locations.h" /** @name External vars @{ **/ @@ -57,6 +58,7 @@ extern int send_ack_notifications; extern int default_expiring_acknowledgement_duration; extern int set_expire_ack_by_default; extern int default_expiring_disabled_notifications_duration; +extern int disable_cmd_cgi_csrf_protection; extern int display_header; extern int daemon_check; @@ -2070,6 +2072,9 @@ void commit_command_data(int cmd) { scheduled_downtime *temp_downtime; servicegroup *temp_servicegroup = NULL; contact *temp_contact = NULL; + char *referer; + char *referer_check; + char *buffer; int x = 0; int e = 0; short error_found = FALSE; @@ -2079,6 +2084,18 @@ void commit_command_data(int cmd) { /* get authentication information */ get_authentication_information(¤t_authdata); + referer = getenv("HTTP_REFERER"); + asprintf(&referer_check, "%s/%s", DEFAULT_URL_CGIBIN_PATH, CMD_CGI); + + if (disable_cmd_cgi_csrf_protection == FALSE && (referer == NULL || !strstr(referer, referer_check))) { + if (use_logging == TRUE) { + asprintf(&buffer, "ERROR: %s;%s;%s;This appears to be a CSRF attack! The command wasn't issued via Classic-UI itself!", current_authdata.username, (getenv("REMOTE_ADDR") != NULL) ? getenv("REMOTE_ADDR") : "unknown remote address", extcmd_get_name(cmd)); + write_to_cgi_log(buffer); + } + print_generic_error_message("Error: This appears to be a CSRF attack! The command wasn't issued via Classic-UI itself!", NULL, 2); + return; + } + /* allways set the first element to FALSE*/ /* If there is a single COMMAND witch is not coverd correctly throught the following cases it won't get executed */ is_authorized[x] = FALSE; diff --git a/sample-config/cgi.cfg.in b/sample-config/cgi.cfg.in index b7f931c..f7755e9 100644 --- a/sample-config/cgi.cfg.in +++ b/sample-config/cgi.cfg.in @@ -709,6 +709,18 @@ default_expiring_disabled_notifications_duration=86400 +# DISABLE CMD CGI CSRF PROTECTION +# This option disables the protection against CSRF attacks +# (Cross-Site Request Forgery). Use this option only if you are +# using external programs (like Nagstamon) which access +# cmd.cgi directly to submit commands. By default the submitted +# command (via external program) will be rejected. +# The default is 0 (protection is on). + +disable_cmd_cgi_csrf_protection=0 + + + ###################################### # diff --git a/sample-config/updates/cgi.cfg_added_1.10.2_to_1.10.2p1.cfg b/sample-config/updates/cgi.cfg_added_1.10.2_to_1.10.2p1.cfg new file mode 100644 index 0000000..d047043 --- /dev/null +++ b/sample-config/updates/cgi.cfg_added_1.10.2_to_1.10.2p1.cfg @@ -0,0 +1,17 @@ +################################################################# +# These are newly ADDED config options for CGI.CFG only. +# +# NOTE: Update your existing configuration with those new ones, +# if needed. You are advised to do so, in order to get the +# full Icinga experience! +################################################################# + +# DISABLE CMD CGI CSRF PROTECTION +# This option disables the protection against CSRF attacks +# (Cross-Site Request Forgery). Use this option only if you are +# using external programs (like Nagstamon) which access +# cmd.cgi directly to submit commands. By default the submitted +# command (via external program) will be rejected. +# The default is 0 (protection is on). + +disable_cmd_cgi_csrf_protection=0 \ No newline at end of file -- 1.8.2.1 -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org