630976 – (CVE-2017-11567) www-servers/mongoose: CSRF issue can be leveraged to execute arbitrary code remotely

Bug 630976 (CVE-2017-11567) - www-servers/mongoose: CSRF issue can be leveraged to execute arbitrary code remotely

Summary: www-servers/mongoose: CSRF issue can be leveraged to execute arbitrary code r...

Status:	RESOLVED FIXED

Alias:	CVE-2017-11567

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	~2 [noglsa cve]
Keywords:

Depends on:
Blocks:

Reported:	2017-09-14 13:32 UTC by Aleksandr Wagner (Kivak)
Modified:	2020-03-29 00:04 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Aleksandr Wagner (Kivak) 2017-09-14 13:32:51 UTC

CVE-2017-11567 (https://nvd.nist.gov/vuln/detail/CVE-2017-11567):

Cross-site request forgery (CSRF) vulnerability in Mongoose Web Server before 6.9 allows remote attackers to hijack the authentication of users for requests that modify Mongoose.conf via a request to __mg_admin?save. NOTE: this issue can be leveraged to execute arbitrary code remotely.

References:

http://hyp3rlinx.altervista.org/advisories/MONGOOSE-WEB-SERVER-v6.5-CSRF-COMMAND-EXECUTION.txt
http://seclists.org/fulldisclosure/2017/Sep/3
https://www.exploit-db.com/exploits/42614/

Comment 1 Zac Medico gentoo-dev

2017-09-14 21:32:55 UTC

I don't think that mongoose-5.6 is affected. Can anyone demonstrate the exploit with it?

Comment 2 Larry the Git Cow gentoo-dev

2017-11-13 17:51:19 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b3eb14942b43cd240810401a6208957a0528ca8c

commit b3eb14942b43cd240810401a6208957a0528ca8c
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2017-11-13 17:43:38 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2017-11-13 17:50:38 +0000

    package.mask: mask www-servers/mongoose for removal (bug 630976)
    
    Masked for removal in 30 days. Current versions do not include a
    standalone web server command, and there is an open security issue
    (bug #630976). A fork is available as www-servers/civetweb.
    
    Bug: https://bugs.gentoo.org/630976

 profiles/package.mask | 6 ++++++
 1 file changed, 6 insertions(+)}

Comment 3 Larry the Git Cow gentoo-dev

2017-12-14 19:11:09 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=348d8d9e4206b730d5da181ed507612015de635e

commit 348d8d9e4206b730d5da181ed507612015de635e
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2017-12-14 19:09:24 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2017-12-14 19:11:02 +0000

    www-servers/mongoose: remove package (bug 630976)
    
    Bug: https://bugs.gentoo.org/630976

 profiles/package.mask                    |  6 ------
 www-servers/mongoose/Manifest            |  1 -
 www-servers/mongoose/metadata.xml        | 10 ---------
 www-servers/mongoose/mongoose-5.6.ebuild | 35 --------------------------------
 4 files changed, 52 deletions(-)}

Comment 4 D'juan McDonald (domhnall) 2019-07-17 02:41:09 UTC

@security ping, Package no longer in tree. Anything else to be done here?

Comment 5 Sam James archtester

2020-03-29 00:04:13 UTC

Closing because was never stable and out of tree.