Overview

File 0001-classic-ui-fix-CVE-2013-7107.patch of Package icinga.2654

From 9e9b6a5f26dfcf255fb63bf2326e23a40796f982 Mon Sep 17 00:00:00 2001
From: Ricardo Bartels <ricardo@bitchbrothers.com>
Date: Mon, 23 Dec 2013 17:22:10 +0100
Subject: [PATCH] classic-ui: fix vulnerability against CSRF attacks
 CVE-2013-7107 #5346

This is the fix for CVE-2013-7107. From now on the HTTP referer gets
checked if the request of cmd.cgi actually comes from cmd.cgi.
Otherwise the request will be rejected and the user be notified if
possible. Also a new cgi.cfg option "disable_cmd_cgi_csrf_protection"
got added to disable the protection and allow external programs to
submit commands.

backported to 1.10.2

refs: #5346
---
 cgi/cgiutils.c                                          |  4 ++++
 cgi/cmd.c                                               | 17 +++++++++++++++++
 sample-config/cgi.cfg.in                                | 12 ++++++++++++
 .../updates/cgi.cfg_added_1.10.2_to_1.10.2p1.cfg        | 17 +++++++++++++++++
 4 files changed, 50 insertions(+)
 create mode 100644 sample-config/updates/cgi.cfg_added_1.10.2_to_1.10.2p1.cfg

diff --git a/cgi/cgiutils.c b/cgi/cgiutils.c
index 2cc5908..e909336 100644
--- a/cgi/cgiutils.c
+++ b/cgi/cgiutils.c
@@ -184,6 +184,7 @@ int		add_notif_num_hard = 0;
 int		add_notif_num_soft = 0;
 int		enforce_comments_on_actions = FALSE;
 int		week_starts_on_monday = FALSE;
+int		disable_cmd_cgi_csrf_protection = FALSE;
 
 int		show_partial_hostgroups = FALSE;
 int		show_partial_servicegroups = FALSE;
@@ -691,6 +692,9 @@ int read_cgi_config_file(char *filename) {
 		else if (!strcmp(var, "display_status_totals"))
 			display_status_totals = (atoi(val) > 0) ? TRUE : FALSE;
 
+		else if (!strcmp(var, "disable_cmd_cgi_csrf_protection"))
+			disable_cmd_cgi_csrf_protection = (atoi(val) > 0) ? TRUE : FALSE;
+
 		else if (!strcmp(var, "authorization_config_file")) {
 			authorization_config_file = strdup(val);
 			strip(authorization_config_file);
diff --git a/cgi/cmd.c b/cgi/cmd.c
index e8b3e41..cce3581 100644
--- a/cgi/cmd.c
+++ b/cgi/cmd.c
@@ -38,6 +38,7 @@
 #include "../include/cgiutils.h"
 #include "../include/cgiauth.h"
 #include "../include/getcgi.h"
+#include "../include/locations.h"
 
 /** @name External vars
     @{ **/
@@ -57,6 +58,7 @@ extern int  send_ack_notifications;
 extern int  default_expiring_acknowledgement_duration;
 extern int  set_expire_ack_by_default;
 extern int  default_expiring_disabled_notifications_duration;
+extern int  disable_cmd_cgi_csrf_protection;
 
 extern int  display_header;
 extern int  daemon_check;
@@ -2070,6 +2072,9 @@ void commit_command_data(int cmd) {
 	scheduled_downtime *temp_downtime;
 	servicegroup *temp_servicegroup = NULL;
 	contact *temp_contact = NULL;
+	char *referer;
+	char *referer_check;
+	char *buffer;
 	int x = 0;
 	int e = 0;
 	short error_found = FALSE;
@@ -2079,6 +2084,18 @@ void commit_command_data(int cmd) {
 	/* get authentication information */
 	get_authentication_information(&current_authdata);
 
+	referer = getenv("HTTP_REFERER");
+	asprintf(&referer_check, "%s/%s", DEFAULT_URL_CGIBIN_PATH, CMD_CGI);
+
+	if (disable_cmd_cgi_csrf_protection == FALSE && (referer == NULL || !strstr(referer, referer_check))) {
+		if (use_logging == TRUE) {
+			asprintf(&buffer, "ERROR: %s;%s;%s;This appears to be a CSRF attack! The command wasn't issued via Classic-UI itself!", current_authdata.username, (getenv("REMOTE_ADDR") != NULL) ? getenv("REMOTE_ADDR") : "unknown remote address", extcmd_get_name(cmd));
+			write_to_cgi_log(buffer);
+		}
+		print_generic_error_message("Error: This appears to be a CSRF attack! The command wasn't issued via Classic-UI itself!", NULL, 2);
+		return;
+	}
+
 	/* allways set the first element to FALSE*/
 	/* If there is a single COMMAND witch is not coverd correctly throught the following cases it won't get executed */
 	is_authorized[x] = FALSE;
diff --git a/sample-config/cgi.cfg.in b/sample-config/cgi.cfg.in
index b7f931c..f7755e9 100644
--- a/sample-config/cgi.cfg.in
+++ b/sample-config/cgi.cfg.in
@@ -709,6 +709,18 @@ default_expiring_disabled_notifications_duration=86400
 
 
 
+# DISABLE CMD CGI CSRF PROTECTION
+# This option disables the protection against CSRF attacks
+# (Cross-Site Request Forgery). Use this option only if you are
+# using external programs (like Nagstamon) which access
+# cmd.cgi directly to submit commands. By default the submitted
+# command (via external program) will be rejected.
+# The default is 0 (protection is on).
+
+disable_cmd_cgi_csrf_protection=0
+
+
+
 
 ######################################
 #
diff --git a/sample-config/updates/cgi.cfg_added_1.10.2_to_1.10.2p1.cfg b/sample-config/updates/cgi.cfg_added_1.10.2_to_1.10.2p1.cfg
new file mode 100644
index 0000000..d047043
--- /dev/null
+++ b/sample-config/updates/cgi.cfg_added_1.10.2_to_1.10.2p1.cfg
@@ -0,0 +1,17 @@
+#################################################################
+# These are newly ADDED config options for CGI.CFG only.
+#
+# NOTE: Update your existing configuration with those new ones,
+#	if needed. You are advised to do so, in order to get the
+#	full Icinga experience!
+#################################################################
+
+# DISABLE CMD CGI CSRF PROTECTION
+# This option disables the protection against CSRF attacks
+# (Cross-Site Request Forgery). Use this option only if you are
+# using external programs (like Nagstamon) which access
+# cmd.cgi directly to submit commands. By default the submitted
+# command (via external program) will be rejected.
+# The default is 0 (protection is on).
+
+disable_cmd_cgi_csrf_protection=0
\ No newline at end of file
-- 
1.8.2.1
openSUSE Build Service is sponsored by
Places