Re: monit / CVE-2016-7067

To: Debian LTS <debian-lts@lists.debian.org>
Subject: Re: monit / CVE-2016-7067
From: Brian May <bam@debian.org>
Date: Sun, 27 Nov 2016 18:56:30 +1100
Message-id: <[🔎] 87shqds6dt.fsf@prune.linuxpenguins.xyz>
In-reply-to: <[🔎] CABY6=0kQOyPi2qHMhCrOzXu-vqzqVkM4cTVT0Eb8+7g9VGPNjQ@mail.gmail.com>
References: <[🔎] 878tsdfhgp.fsf@prune.linuxpenguins.xyz> <[🔎] CABY6=0kQOyPi2qHMhCrOzXu-vqzqVkM4cTVT0Eb8+7g9VGPNjQ@mail.gmail.com>

Ola Lundqvist <ola@inguza.com> writes:

> I think this type of vulnerability can fall in the category of "minor
> issue" as it actually need an administrator to visit a forged link. Also it
> should be fairly obvious that the state have changed when the link is
> clicked by the administrator and it should be easy to change it back.

I think the danger is that an administrator could click "submit" on a
mallacious HTML form and not realize the form is submitting to monit
instance localhost. There is no need to forge links. This is potentially
bad. Although from what you are saying, it sounds like the damage that
can be done is limited.

You also have to also consider that adding CSRF is a fundemental change
to the HTTP API, which could break stuff. If there is anything that even
connects to monit, aside from an end user with a web browser.

I think I will leave this to somebody more familiar with monit and how
it is used.
-- 
Brian May <bam@debian.org>

Reply to:

Follow-Ups:
- Re: monit / CVE-2016-7067
  - From: Ola Lundqvist <ola@inguza.com>

References:
- monit / CVE-2016-7067
  - From: Brian May <brian@linuxpenguins.xyz>
- Re: monit / CVE-2016-7067
  - From: Ola Lundqvist <ola@inguza.com>

Prev by Date: Re: Qemu CVEs in Xen
Next by Date: Re: monit / CVE-2016-7067
Previous by thread: Re: monit / CVE-2016-7067
Next by thread: Re: monit / CVE-2016-7067
Index(es):
- Date
- Thread