C'mon already. If you are sys admin and you create the scenario below, you deserve to be hacked.
Tony Z On Wed, Jun 1, 2011 at 12:41 PM, Mini IT <[email protected]> wrote: > So it's a none issue because an attacker will not have the correct > information? > Social engineering falls into "not my problem" for the developers? > > On 6/1/2011 11:16 AM, Jędrzej Nowak wrote: >> >> The attack is not that easy as it looks like: >> #1 you need to have admin on localhost:9090 (or any other known >> combination) >> #2 you need to visit infected page (from the same browser - because >> there is user/password protection) >> #3 you need to submit 2 forms (with fake data) => one for changing >> values, second for 'apply'. >> #4 you need to know the current cherokee structure (otherwise >> cherokee-admin will refuse it) >> >> >> Greetings, >> Jędrzej Nowak >> >> >> >> On Wed, Jun 1, 2011 at 5:21 PM, Mini IT<[email protected]> wrote: >>> >>> Out of curiosity why is this not an issue? >>> I would think the ability to reconfigure and execute arbitrary commands >>> on a >>> server is a pretty big issue even if the chance of it happening is slim.. >>> >>> http://seclists.org/fulldisclosure/2011/Jun/0 >>> "Vendor response: "This isn't an issue." >>> >>> Problem: the cherokee server admin configuration web interface is >>> vulnerable to csrf. >>> >>> Impact: if an admin is logged into the cherokee admin interface and >>> visits a site which runs "bad tm scripts" cherokee can be reconfigured >>> to run as $user and set log handlers(hooks) to execute arbitrary >>> commands (on error and on access)." >>> _______________________________________________ >>> Cherokee mailing list >>> [email protected] >>> http://lists.octality.com/listinfo/cherokee >>> >> > _______________________________________________ > Cherokee mailing list > [email protected] > http://lists.octality.com/listinfo/cherokee > _______________________________________________ Cherokee mailing list [email protected] http://lists.octality.com/listinfo/cherokee
