CVE Vulnerabilities

CVE-2011-2191

Cross-Site Request Forgery (CSRF)

Published: Oct 07, 2011 | Modified: Nov 24, 2011
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
6.8 MEDIUM
AV:N/AC:M/Au:N/C:P/I:P/A:P
RedHat/V2
RedHat/V3
Ubuntu
MEDIUM

Cross-site request forgery (CSRF) vulnerability in Cherokee-admin in Cherokee before 1.2.99 allows remote attackers to hijack the authentication of administrators for requests that insert cross-site scripting (XSS) sequences, as demonstrated by a crafted nickname field to vserver/apply.

Weakness

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

Affected Software

Name Vendor Start Version End Version
Cherokee Cherokee-project * 1.2.98 (including)
Cherokee Cherokee-project 0.3.0 (including) 0.3.0 (including)
Cherokee Cherokee-project 0.4.0 (including) 0.4.0 (including)
Cherokee Cherokee-project 0.4.1 (including) 0.4.1 (including)
Cherokee Cherokee-project 0.4.2 (including) 0.4.2 (including)
Cherokee Cherokee-project 0.4.3 (including) 0.4.3 (including)
Cherokee Cherokee-project 0.4.4 (including) 0.4.4 (including)
Cherokee Cherokee-project 0.4.5 (including) 0.4.5 (including)
Cherokee Cherokee-project 0.4.6 (including) 0.4.6 (including)
Cherokee Cherokee-project 0.4.7 (including) 0.4.7 (including)
Cherokee Cherokee-project 0.4.8 (including) 0.4.8 (including)
Cherokee Cherokee-project 0.4.9 (including) 0.4.9 (including)
Cherokee Cherokee-project 0.4.10 (including) 0.4.10 (including)
Cherokee Cherokee-project 0.4.11 (including) 0.4.11 (including)
Cherokee Cherokee-project 0.4.12 (including) 0.4.12 (including)
Cherokee Cherokee-project 0.4.13 (including) 0.4.13 (including)
Cherokee Cherokee-project 0.4.14 (including) 0.4.14 (including)
Cherokee Cherokee-project 0.4.15 (including) 0.4.15 (including)
Cherokee Cherokee-project 0.4.16 (including) 0.4.16 (including)
Cherokee Cherokee-project 0.4.17 (including) 0.4.17 (including)
Cherokee Cherokee-project 0.4.18 (including) 0.4.18 (including)
Cherokee Cherokee-project 0.4.19 (including) 0.4.19 (including)
Cherokee Cherokee-project 0.4.20 (including) 0.4.20 (including)
Cherokee Cherokee-project 0.4.21 (including) 0.4.21 (including)
Cherokee Cherokee-project 0.4.22 (including) 0.4.22 (including)
Cherokee Cherokee-project 0.4.23 (including) 0.4.23 (including)
Cherokee Cherokee-project 0.4.24 (including) 0.4.24 (including)
Cherokee Cherokee-project 0.4.25 (including) 0.4.25 (including)
Cherokee Cherokee-project 0.4.26 (including) 0.4.26 (including)
Cherokee Cherokee-project 0.4.27 (including) 0.4.27 (including)
Cherokee Cherokee-project 0.4.28 (including) 0.4.28 (including)
Cherokee Cherokee-project 0.4.29 (including) 0.4.29 (including)
Cherokee Cherokee-project 0.4.30 (including) 0.4.30 (including)
Cherokee Cherokee-project 0.5.0 (including) 0.5.0 (including)
Cherokee Cherokee-project 0.5.1 (including) 0.5.1 (including)
Cherokee Cherokee-project 0.5.2 (including) 0.5.2 (including)
Cherokee Cherokee-project 0.5.3 (including) 0.5.3 (including)
Cherokee Cherokee-project 0.5.4 (including) 0.5.4 (including)
Cherokee Cherokee-project 0.5.5 (including) 0.5.5 (including)
Cherokee Cherokee-project 0.5.6 (including) 0.5.6 (including)
Cherokee Cherokee-project 0.6.0 (including) 0.6.0 (including)
Cherokee Cherokee-project 0.6.1 (including) 0.6.1 (including)
Cherokee Cherokee-project 0.7.0 (including) 0.7.0 (including)
Cherokee Cherokee-project 0.7.1 (including) 0.7.1 (including)
Cherokee Cherokee-project 0.7.2 (including) 0.7.2 (including)
Cherokee Cherokee-project 0.8.0 (including) 0.8.0 (including)
Cherokee Cherokee-project 0.8.1 (including) 0.8.1 (including)
Cherokee Cherokee-project 0.9.0 (including) 0.9.0 (including)
Cherokee Cherokee-project 0.9.1 (including) 0.9.1 (including)
Cherokee Cherokee-project 0.9.2 (including) 0.9.2 (including)
Cherokee Cherokee-project 0.9.3 (including) 0.9.3 (including)
Cherokee Cherokee-project 0.9.4 (including) 0.9.4 (including)
Cherokee Cherokee-project 0.10.0 (including) 0.10.0 (including)
Cherokee Cherokee-project 0.10.1 (including) 0.10.1 (including)
Cherokee Cherokee-project 0.11.0 (including) 0.11.0 (including)
Cherokee Cherokee-project 0.11.1 (including) 0.11.1 (including)
Cherokee Cherokee-project 0.11.2 (including) 0.11.2 (including)
Cherokee Cherokee-project 0.11.3 (including) 0.11.3 (including)
Cherokee Cherokee-project 0.11.4 (including) 0.11.4 (including)
Cherokee Cherokee-project 0.11.5 (including) 0.11.5 (including)
Cherokee Cherokee-project 0.11.6 (including) 0.11.6 (including)
Cherokee Cherokee-project 0.98.0 (including) 0.98.0 (including)
Cherokee Cherokee-project 0.98.1 (including) 0.98.1 (including)
Cherokee Cherokee-project 0.99.0 (including) 0.99.0 (including)
Cherokee Cherokee-project 0.99.1 (including) 0.99.1 (including)
Cherokee Cherokee-project 0.99.2 (including) 0.99.2 (including)
Cherokee Cherokee-project 0.99.3 (including) 0.99.3 (including)
Cherokee Cherokee-project 0.99.4 (including) 0.99.4 (including)
Cherokee Cherokee-project 0.99.5 (including) 0.99.5 (including)
Cherokee Cherokee-project 0.99.6 (including) 0.99.6 (including)
Cherokee Cherokee-project 0.99.07 (including) 0.99.07 (including)
Cherokee Cherokee-project 0.99.8 (including) 0.99.8 (including)
Cherokee Cherokee-project 0.99.9 (including) 0.99.9 (including)
Cherokee Cherokee-project 0.99.10 (including) 0.99.10 (including)
Cherokee Cherokee-project 0.99.11 (including) 0.99.11 (including)
Cherokee Cherokee-project 0.99.12 (including) 0.99.12 (including)
Cherokee Cherokee-project 0.99.13 (including) 0.99.13 (including)
Cherokee Cherokee-project 0.99.14 (including) 0.99.14 (including)
Cherokee Cherokee-project 0.99.15 (including) 0.99.15 (including)
Cherokee Cherokee-project 0.99.16 (including) 0.99.16 (including)
Cherokee Cherokee-project 0.99.17 (including) 0.99.17 (including)
Cherokee Cherokee-project 0.99.18 (including) 0.99.18 (including)
Cherokee Cherokee-project 0.99.19 (including) 0.99.19 (including)
Cherokee Cherokee-project 0.99.20 (including) 0.99.20 (including)
Cherokee Cherokee-project 0.99.21 (including) 0.99.21 (including)
Cherokee Cherokee-project 0.99.22 (including) 0.99.22 (including)
Cherokee Cherokee-project 0.99.23 (including) 0.99.23 (including)
Cherokee Cherokee-project 0.99.24 (including) 0.99.24 (including)
Cherokee Cherokee-project 0.99.25 (including) 0.99.25 (including)
Cherokee Cherokee-project 0.99.26 (including) 0.99.26 (including)
Cherokee Cherokee-project 0.99.27 (including) 0.99.27 (including)
Cherokee Cherokee-project 0.99.28 (including) 0.99.28 (including)
Cherokee Cherokee-project 0.99.29 (including) 0.99.29 (including)
Cherokee Cherokee-project 0.99.30 (including) 0.99.30 (including)
Cherokee Cherokee-project 0.99.31 (including) 0.99.31 (including)
Cherokee Cherokee-project 0.99.32 (including) 0.99.32 (including)
Cherokee Cherokee-project 0.99.33 (including) 0.99.33 (including)
Cherokee Cherokee-project 0.99.34 (including) 0.99.34 (including)
Cherokee Cherokee-project 0.99.35 (including) 0.99.35 (including)
Cherokee Cherokee-project 0.99.36 (including) 0.99.36 (including)
Cherokee Cherokee-project 0.99.37 (including) 0.99.37 (including)
Cherokee Cherokee-project 0.99.38 (including) 0.99.38 (including)
Cherokee Cherokee-project 0.99.39 (including) 0.99.39 (including)
Cherokee Cherokee-project 0.99.40 (including) 0.99.40 (including)
Cherokee Cherokee-project 0.99.41 (including) 0.99.41 (including)
Cherokee Cherokee-project 0.99.42 (including) 0.99.42 (including)
Cherokee Cherokee-project 0.99.43 (including) 0.99.43 (including)
Cherokee Cherokee-project 0.99.44 (including) 0.99.44 (including)
Cherokee Cherokee-project 0.99.45 (including) 0.99.45 (including)
Cherokee Cherokee-project 0.99.46 (including) 0.99.46 (including)
Cherokee Cherokee-project 0.99.47 (including) 0.99.47 (including)
Cherokee Cherokee-project 0.99.48 (including) 0.99.48 (including)
Cherokee Cherokee-project 0.99.49 (including) 0.99.49 (including)
Cherokee Cherokee-project 1.0.0 (including) 1.0.0 (including)
Cherokee Cherokee-project 1.0.1 (including) 1.0.1 (including)
Cherokee Cherokee-project 1.0.2 (including) 1.0.2 (including)
Cherokee Cherokee-project 1.0.3 (including) 1.0.3 (including)
Cherokee Cherokee-project 1.0.4 (including) 1.0.4 (including)
Cherokee Cherokee-project 1.0.5 (including) 1.0.5 (including)
Cherokee Cherokee-project 1.0.6 (including) 1.0.6 (including)
Cherokee Cherokee-project 1.0.7 (including) 1.0.7 (including)
Cherokee Cherokee-project 1.0.8 (including) 1.0.8 (including)
Cherokee Cherokee-project 1.0.9 (including) 1.0.9 (including)
Cherokee Cherokee-project 1.0.10 (including) 1.0.10 (including)
Cherokee Cherokee-project 1.0.11 (including) 1.0.11 (including)
Cherokee Cherokee-project 1.0.12 (including) 1.0.12 (including)
Cherokee Cherokee-project 1.0.13 (including) 1.0.13 (including)
Cherokee Cherokee-project 1.0.14 (including) 1.0.14 (including)
Cherokee Cherokee-project 1.0.15 (including) 1.0.15 (including)
Cherokee Cherokee-project 1.0.16 (including) 1.0.16 (including)
Cherokee Cherokee-project 1.0.17 (including) 1.0.17 (including)
Cherokee Cherokee-project 1.0.18 (including) 1.0.18 (including)
Cherokee Cherokee-project 1.0.19 (including) 1.0.19 (including)
Cherokee Cherokee-project 1.0.20 (including) 1.0.20 (including)
Cherokee Cherokee-project 1.2.0 (including) 1.2.0 (including)
Cherokee Cherokee-project 1.2.1 (including) 1.2.1 (including)
Cherokee Cherokee-project 1.2.2 (including) 1.2.2 (including)
Cherokee Ubuntu hardy *
Cherokee Ubuntu lucid *
Cherokee Ubuntu maverick *
Cherokee Ubuntu natty *
Cherokee Ubuntu oneiric *
Cherokee Ubuntu precise *

Potential Mitigations

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, use anti-CSRF packages such as the OWASP CSRFGuard. [REF-330]
  • Another example is the ESAPI Session Management control, which includes a component for CSRF. [REF-45]
  • Use the “double-submitted cookie” method as described by Felten and Zeller:
  • When a user visits a site, the site should generate a pseudorandom value and set it as a cookie on the user’s machine. The site should require every form submission to include this value as a form value and also as a cookie value. When a POST request is sent to the site, the request should only be considered valid if the form value and the cookie value are the same.
  • Because of the same-origin policy, an attacker cannot read or modify the value stored in the cookie. To successfully submit a form on behalf of the user, the attacker would have to correctly guess the pseudorandom value. If the pseudorandom value is cryptographically strong, this will be prohibitively difficult.
  • This technique requires Javascript, so it may not work for browsers that have Javascript disabled. [REF-331]

References