[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: monit / CVE-2016-7067

Ola Lundqvist <ola@inguza.com> writes:

> I think this type of vulnerability can fall in the category of "minor
> issue" as it actually need an administrator to visit a forged link. Also it
> should be fairly obvious that the state have changed when the link is
> clicked by the administrator and it should be easy to change it back.

I think the danger is that an administrator could click "submit" on a
mallacious HTML form and not realize the form is submitting to monit
instance localhost. There is no need to forge links. This is potentially
bad. Although from what you are saying, it sounds like the damage that
can be done is limited.

You also have to also consider that adding CSRF is a fundemental change
to the HTTP API, which could break stuff. If there is anything that even
connects to monit, aside from an end user with a web browser.

I think I will leave this to somebody more familiar with monit and how
it is used.
Brian May <bam@debian.org>

Reply to: