Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 516140 - <net-analyzer/pnp4nagios-0.6.24: Two URL Cross-Site Scripting Vulnerabilities (CVE-2014-4908)
Summary: <net-analyzer/pnp4nagios-0.6.24: Two URL Cross-Site Scripting Vulnerabilities...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/58973/
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-07-03 09:18 UTC by Agostino Sarubbo
Modified: 2014-11-10 22:19 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-07-03 09:18:18 UTC
From ${URL} :

Description

Two vulnerabilities have been reported in PNP4Nagios, which can be exploited by malicious people to conduct cross-site scripting attacks.

1) Input appended to the URL is not properly sanitised in "views/kohana_error_page.php" before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

2) Input appended to the URL is not properly sanitised in "views/template.php" before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.


Solution:
Fixed in the GIT repository.

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
PNP4Nagios:
https://github.com/lingej/pnp4nagios/commit/e4a19768a5c5e5b1276caf3dd5bb721a540ec014
https://github.com/lingej/pnp4nagios/commit/cb925073edeeb97eb4ce61a86cdafccc9b87f9bb
Comment 1 Tomáš Mózes 2014-08-13 06:12:23 UTC
Ebuild from 0.6.21 works for 0.6.24, tested on amd64. We've been using it in production for a week now.
Comment 2 Guido Jäkel 2014-10-23 14:41:19 UTC
(In reply to Tomas Mozes from comment #1)
> Ebuild from 0.6.21 works for 0.6.24, tested on amd64. We've been using it in
> production for a week now.

Dear Tomas,

please add an alternative DEPEND on net-analyzer/ichinga2 to the upcoming ebuilds.

The following diff is from my personal bumped version:


--- pnp4nagios-0.6.21.ebuild.20140314-113125    2014-03-14 11:31:26.000000000 +0100
+++ pnp4nagios-0.6.24.ebuild    2014-10-23 16:25:17.184022000 +0200
@@ -16,10 +16,11 @@
 IUSE=""
 KEYWORDS="amd64 ppc ppc64 ~sparc x86"
 
+# 20141023/gj  alternatively depend on icinga2
 DEPEND="dev-lang/php[json,simplexml,zlib,xml,filter]
        >=dev-lang/php-5.3
        >=net-analyzer/rrdtool-1.2[perl]
-       || ( net-analyzer/nagios-core net-analyzer/icinga )"
+       || ( net-analyzer/nagios-core net-analyzer/icinga net-analyzer/icinga2 )"
 RDEPEND="${DEPEND}
        virtual/perl-Getopt-Long
        virtual/perl-Time-HiRes
Comment 3 Tomáš Mózes 2014-10-23 15:11:52 UTC
Hey Guido, I'm just a random tester, I cannot bump the version ;)

By the way, we've been using 0.6.24 since 2014/08.
Comment 4 Justin Lecher (RETIRED) gentoo-dev 2014-10-24 06:37:47 UTC
+*pnp4nagios-0.6.24 (24 Oct 2014)
+
+  24 Oct 2014; Justin Lecher <jlec@gentoo.org> +pnp4nagios-0.6.24.ebuild:
+  Version BUmp; fixes security issues #516078 & #516140
+
Comment 5 Justin Lecher (RETIRED) gentoo-dev 2014-10-24 06:39:16 UTC
@arches, please stable.
Comment 6 Agostino Sarubbo gentoo-dev 2014-10-27 14:17:13 UTC
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2014-10-27 14:18:32 UTC
x86 stable
Comment 8 Agostino Sarubbo gentoo-dev 2014-11-10 13:45:24 UTC
ppc stable
Comment 9 Agostino Sarubbo gentoo-dev 2014-11-10 13:52:29 UTC
ppc64 stable.

Maintainer(s), please cleanup.
Comment 10 Justin Lecher (RETIRED) gentoo-dev 2014-11-10 13:54:37 UTC
+  10 Nov 2014; Justin Lecher <jlec@gentoo.org> -pnp4nagios-0.6.19-r1.ebuild,
+  -pnp4nagios-0.6.21.ebuild:
+  Drop old
+
Comment 11 Sean Amoss (RETIRED) gentoo-dev Security 2014-11-10 22:19:12 UTC
Justin, thank you for the very quick cleanup of vulnerable versions.

Closing noglsa for XSS.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2014-11-10 22:19:42 UTC
CVE-2014-4908 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4908):
  Multiple cross-site scripting (XSS) vulnerabilities in PNP4Nagios through
  0.6.22 allow remote attackers to inject arbitrary web script or HTML via the
  URI used for reaching (1) share/pnp/application/views/kohana_error_page.php
  or (2) share/pnp/application/views/template.php, leading to improper
  handling within an http-equiv="refresh" META element.