CVE Vulnerabilities

CVE-2011-2191

Cross-Site Request Forgery (CSRF)

Published: Oct 07, 2011 | Modified: Nov 24, 2011
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
6.8 MEDIUM
AV:N/AC:M/Au:N/C:P/I:P/A:P
RedHat/V2
RedHat/V3
Ubuntu

Cross-site request forgery (CSRF) vulnerability in Cherokee-admin in Cherokee before 1.2.99 allows remote attackers to hijack the authentication of administrators for requests that insert cross-site scripting (XSS) sequences, as demonstrated by a crafted nickname field to vserver/apply.

Weakness

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

Affected Software

Name Vendor Start Version End Version
Cherokee Cherokee-project 0.4.2 0.4.2
Cherokee Cherokee-project 0.7.0 0.7.0
Cherokee Cherokee-project 0.4.20 0.4.20
Cherokee Cherokee-project 0.99.34 0.99.34
Cherokee Cherokee-project 0.99.16 0.99.16
Cherokee Cherokee-project 0.99.40 0.99.40
Cherokee Cherokee-project 1.0.10 1.0.10
Cherokee Cherokee-project 1.0.3 1.0.3
Cherokee Cherokee-project 0.99.44 0.99.44
Cherokee Cherokee-project 0.99.33 0.99.33
Cherokee Cherokee-project 0.99.10 0.99.10
Cherokee Cherokee-project 0.5.3 0.5.3
Cherokee Cherokee-project 0.4.11 0.4.11
Cherokee Cherokee-project 1.0.14 1.0.14
Cherokee Cherokee-project 1.0.6 1.0.6
Cherokee Cherokee-project 0.4.14 0.4.14
Cherokee Cherokee-project 0.6.0 0.6.0
Cherokee Cherokee-project 0.99.48 0.99.48
Cherokee Cherokee-project 0.11.5 0.11.5
Cherokee Cherokee-project 0.4.13 0.4.13
Cherokee Cherokee-project 0.9.0 0.9.0
Cherokee Cherokee-project 0.99.26 0.99.26
Cherokee Cherokee-project 0.99.14 0.99.14
Cherokee Cherokee-project 1.2.2 1.2.2
Cherokee Cherokee-project 0.4.25 0.4.25
Cherokee Cherokee-project 0.99.07 0.99.07
Cherokee Cherokee-project 0.4.18 0.4.18
Cherokee Cherokee-project 1.0.9 1.0.9
Cherokee Cherokee-project 0.4.21 0.4.21
Cherokee Cherokee-project 0.5.5 0.5.5
Cherokee Cherokee-project 0.11.2 0.11.2
Cherokee Cherokee-project 0.99.38 0.99.38
Cherokee Cherokee-project 0.99.20 0.99.20
Cherokee Cherokee-project 0.99.30 0.99.30
Cherokee Cherokee-project 0.10.1 0.10.1
Cherokee Cherokee-project 0.99.37 0.99.37
Cherokee Cherokee-project 0.99.6 0.99.6
Cherokee Cherokee-project 0.11.4 0.11.4
Cherokee Cherokee-project 0.99.22 0.99.22
Cherokee Cherokee-project 0.99.21 0.99.21
Cherokee Cherokee-project 1.0.8 1.0.8
Cherokee Cherokee-project 0.9.2 0.9.2
Cherokee Cherokee-project 0.99.32 0.99.32
Cherokee Cherokee-project 0.4.16 0.4.16
Cherokee Cherokee-project 1.2.1 1.2.1
Cherokee Cherokee-project 0.4.22 0.4.22
Cherokee Cherokee-project 0.7.1 0.7.1
Cherokee Cherokee-project 1.0.5 1.0.5
Cherokee Cherokee-project 0.4.27 0.4.27
Cherokee Cherokee-project 0.99.23 0.99.23
Cherokee Cherokee-project 0.5.0 0.5.0
Cherokee Cherokee-project 0.4.10 0.4.10
Cherokee Cherokee-project 0.4.24 0.4.24
Cherokee Cherokee-project 0.10.0 0.10.0
Cherokee Cherokee-project 0.4.30 0.4.30
Cherokee Cherokee-project 0.8.0 0.8.0
Cherokee Cherokee-project 0.5.2 0.5.2
Cherokee Cherokee-project 1.0.20 1.0.20
Cherokee Cherokee-project 0.99.25 0.99.25
Cherokee Cherokee-project 0.4.15 0.4.15
Cherokee Cherokee-project 0.4.1 0.4.1
Cherokee Cherokee-project 0.99.8 0.99.8
Cherokee Cherokee-project 0.99.18 0.99.18
Cherokee Cherokee-project 0.99.19 0.99.19
Cherokee Cherokee-project 1.0.17 1.0.17
Cherokee Cherokee-project 1.0.18 1.0.18
Cherokee Cherokee-project 1.0.15 1.0.15
Cherokee Cherokee-project 1.0.12 1.0.12
Cherokee Cherokee-project 0.99.39 0.99.39
Cherokee Cherokee-project 1.0.11 1.0.11
Cherokee Cherokee-project 0.99.41 0.99.41
Cherokee Cherokee-project 0.4.4 0.4.4
Cherokee Cherokee-project 0.9.4 0.9.4
Cherokee Cherokee-project 0.99.1 0.99.1
Cherokee Cherokee-project 1.0.7 1.0.7
Cherokee Cherokee-project 0.99.27 0.99.27
Cherokee Cherokee-project 0.99.47 0.99.47
Cherokee Cherokee-project 0.99.15 0.99.15
Cherokee Cherokee-project 1.0.0 1.0.0
Cherokee Cherokee-project 0.99.4 0.99.4
Cherokee Cherokee-project 0.4.7 0.4.7
Cherokee Cherokee-project 0.4.6 0.4.6
Cherokee Cherokee-project 0.99.24 0.99.24
Cherokee Cherokee-project 0.4.17 0.4.17
Cherokee Cherokee-project 0.6.1 0.6.1
Cherokee Cherokee-project 0.99.5 0.99.5
Cherokee Cherokee-project 0.4.29 0.4.29
Cherokee Cherokee-project 0.99.12 0.99.12
Cherokee Cherokee-project 0.99.45 0.99.45
Cherokee Cherokee-project 0.4.8 0.4.8
Cherokee Cherokee-project 0.5.6 0.5.6
Cherokee Cherokee-project 0.99.29 0.99.29
Cherokee Cherokee-project 0.4.0 0.4.0
Cherokee Cherokee-project 0.99.13 0.99.13
Cherokee Cherokee-project 0.4.26 0.4.26
Cherokee Cherokee-project 0.99.36 0.99.36
Cherokee Cherokee-project 0.11.3 0.11.3
Cherokee Cherokee-project 0.4.5 0.4.5
Cherokee Cherokee-project 0.9.3 0.9.3
Cherokee Cherokee-project 0.5.4 0.5.4
Cherokee Cherokee-project 0.99.17 0.99.17
Cherokee Cherokee-project 0.98.1 0.98.1
Cherokee Cherokee-project 0.99.42 0.99.42
Cherokee Cherokee-project 1.0.19 1.0.19
Cherokee Cherokee-project 0.99.49 0.99.49
Cherokee Cherokee-project 0.98.0 0.98.0
Cherokee Cherokee-project 0.11.0 0.11.0
Cherokee Cherokee-project 0.99.43 0.99.43
Cherokee Cherokee-project 0.4.28 0.4.28
Cherokee Cherokee-project 0.4.19 0.4.19
Cherokee Cherokee-project 0.3.0 0.3.0
Cherokee Cherokee-project 0.4.23 0.4.23
Cherokee Cherokee-project 0.99.3 0.99.3
Cherokee Cherokee-project 0.8.1 0.8.1
Cherokee Cherokee-project 0.99.11 0.99.11
Cherokee Cherokee-project 0.7.2 0.7.2
Cherokee Cherokee-project 0.99.31 0.99.31
Cherokee Cherokee-project 1.2.0 1.2.0
Cherokee Cherokee-project 0.99.28 0.99.28
Cherokee Cherokee-project 1.0.16 1.0.16
Cherokee Cherokee-project 0.11.6 0.11.6
Cherokee Cherokee-project 1.0.2 1.0.2
Cherokee Cherokee-project 0.99.35 0.99.35
Cherokee Cherokee-project 0.11.1 0.11.1
Cherokee Cherokee-project 0.99.0 0.99.0
Cherokee Cherokee-project 0.99.9 0.99.9
Cherokee Cherokee-project 0.4.9 0.4.9
Cherokee Cherokee-project 0.5.1 0.5.1
Cherokee Cherokee-project 0.99.46 0.99.46
Cherokee Cherokee-project 1.0.13 1.0.13
Cherokee Cherokee-project 1.0.1 1.0.1
Cherokee Cherokee-project 0.99.2 0.99.2
Cherokee Cherokee-project 0.4.12 0.4.12
Cherokee Cherokee-project 0.4.3 0.4.3
Cherokee Cherokee-project 0.9.1 0.9.1
Cherokee Cherokee-project 1.0.4 1.0.4
Cherokee Cherokee-project * 1.2.98

Potential Mitigations

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, use anti-CSRF packages such as the OWASP CSRFGuard. [REF-330]
  • Another example is the ESAPI Session Management control, which includes a component for CSRF. [REF-45]
  • Use the “double-submitted cookie” method as described by Felten and Zeller:
  • When a user visits a site, the site should generate a pseudorandom value and set it as a cookie on the user’s machine. The site should require every form submission to include this value as a form value and also as a cookie value. When a POST request is sent to the site, the request should only be considered valid if the form value and the cookie value are the same.
  • Because of the same-origin policy, an attacker cannot read or modify the value stored in the cookie. To successfully submit a form on behalf of the user, the attacker would have to correctly guess the pseudorandom value. If the pseudorandom value is cryptographically strong, this will be prohibitively difficult.
  • This technique requires Javascript, so it may not work for browsers that have Javascript disabled. [REF-331]

References