Re: monit / CVE-2016-7067

[Ola Lundqvist <ola@inguza.com>]

Hi Brian

Just to clarify myself. With a forged link I ment a forged link of any type, including a malicious form.

I think you have good thinking. There is a security vulnerability but the correction is definitely a change that can cause backwards compatibility issue, just as you write, for any interaction not relying on a human with a web broswer.

Best regards

// Ola

On 27 November 2016 at 08:56, Brian May <bam@debian.org> wrote:

Ola Lundqvist <ola@inguza.com> writes:

> I think this type of vulnerability can fall in the category of "minor
> issue" as it actually need an administrator to visit a forged link. Also it
> should be fairly obvious that the state have changed when the link is
> clicked by the administrator and it should be easy to change it back.

I think the danger is that an administrator could click "submit" on a
mallacious HTML form and not realize the form is submitting to monit
instance localhost. There is no need to forge links. This is potentially
bad. Although from what you are saying, it sounds like the damage that
can be done is limited.

You also have to also consider that adding CSRF is a fundemental change
to the HTTP API, which could break stuff. If there is anything that even
connects to monit, aside from an end user with a web browser.

I think I will leave this to somebody more familiar with monit and how
it is used.
--
Brian May <bam@debian.org>

--

 --- Inguza Technology AB --- MSc in Information Technology ----

/  ola@inguza.com                    Folkebogatan 26            \

|  opal@debian.org                   654 68 KARLSTAD            |

|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |

\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /

 ---------------------------------------------------------------