Bug 5252

Summary: ocsinventory new security issue CVE-2011-4024
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: bersuit.vera, davidwhodgins, juan.baptiste, mageia, pterjan, sysadmin-bugs, tmb
Version: 1Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
Whiteboard: MGA1-32-OK, MGA1-64-OK
Source RPM: ocsinventory-1.3.3-1.mga1.src.rpm CVE:
Status comment:

Description David Walser 2012-04-06 14:53:48 CEST 
Mandriva issued this advisory on Wednesday (April 4):
http://www.mandriva.com/en/support/security/advisories/?dis=mes5&name=MDVSA-2012:053

Cauldron is not vulnerable.  You could patch it, or just update to the newest version, as was requested in Bug 2129.
David Walser 2012-04-06 15:04:16 CEST

CC: (none) => mageia

David Walser 2012-04-06 15:04:28 CEST

CC: (none) => guillomovitch

David Walser 2012-04-07 04:31:35 CEST

CC: guillomovitch => (none)

David Walser 2012-04-07 04:31:56 CEST

CC: (none) => pterjan

Comment 1 Dave Hodgins 2012-05-08 02:23:52 CEST 
Also see
https://bugs.mageia.org/show_bug.cgi?id=5063#c21

CC: (none) => davidwhodgins

Comment 2 Juan Luis Baptiste 2012-08-21 06:55:52 CEST 
This is only valid for mga 1, according to the Mandriva advisory, version 2.0.1 and earlier are vulnerable, we have 2.0.4 on mga 2 and we are on the process of updating to the latest 2.0.5 on cauldron (agent ready) with one of my apprentices.

CC: (none) => juan.baptiste

Alfonso Vera 2012-08-21 08:40:50 CEST

CC: (none) => bersuit.vera

Comment 3 David Walser 2012-08-21 12:54:04 CEST 
Yes, that's correct.  This bug is for Mageia 1.
Comment 4 Alfonso Vera 2012-09-17 09:33:05 CEST 
I am working to patch the security issue

Status: NEW => ASSIGNED
Assignee: bugsquad => bersuit.vera

Comment 5 Juan Luis Baptiste 2012-09-19 22:33:56 CEST 
I have pushed to mga 1 core/updates_testing a patched version done by Alfonso: ocsinventory-1.3.3-1.1.mga1, reassigning to QA. Alfonso, don't forget to write the advisory, you can base on Mandriva's one.
Juan Luis Baptiste 2012-09-19 22:45:02 CEST

Assignee: bersuit.vera => bugsquad

Juan Luis Baptiste 2012-09-19 22:45:59 CEST

Assignee: bugsquad => qa-bugs

Comment 6 David Walser 2012-09-19 23:48:37 CEST 
Packages built by this SRPM:
ocsinventory-server-1.3.3-1.1.mga1
ocsinventory-reports-1.3.3-1.1.mga1
Comment 7 David Walser 2012-09-19 23:49:07 CEST 
Juan, Alfonso, what about the issue Dave mentioned in Comment 1?
Comment 8 Alfonso Vera 2012-09-20 09:33:23 CEST 

Suggested advisory:
========================

A vulnerability has been found and corrected in ocsinventory:

Cross-site scripting (XSS) vulnerability in ocsinventory in OCS
Inventory NG 2.0.1 and earlier allows remote attackers to inject
arbitrary web script or HTML via unspecified vectors (CVE-2011-4024).

The updated packages have been patched to correct this issue. 
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4024
========================

Updated packages in {core,tainted,nonfree}/updates_testing:
========================
ocsinventory-server-1.3.3-1.1.mga1
ocsinventory-reports-1.3.3-1.1.mga1

Source RPM: 
ocsinventory-1.3.3-1.1.mga1.src.rpm
Comment 9 claire robinson 2012-09-21 13:23:42 CEST 
PoC @ http://www.exploit-db.com/exploits/18005/
Comment 10 claire robinson 2012-09-21 15:48:07 CEST 
I'm having problems getting ocsinventory-server working to test the PoC.

Browsing to localhost/ocsinventory gives a Bad Request 400 error

In apache error log I see..

ocsinventory-server: Can't load SOAP::Transport::HTTP* - Web service will be unavailable

$ urpmq --whatprovides 'perl(SOAP::Transport::HTTP)'
perl-SOAP-Lite
$ rpm -q perl-SOAP-Lite
perl-SOAP-Lite-0.712.0-1.mga1

Looking in /etc/httpd/conf/webapps.d/ocsinventory-server.conf

I think it is missing ::SOAP from..

PerlHandler Apache::Ocsinventory

Adding it so that it reads..

PerlHandler Apache::Ocsinventory::SOAP

and restarting apache, it now gives a 403 Access Forbidden error

Not sure where to go from here. Any pointers?

Also, ocsinventory-reports complains of missing php-gd
Comment 11 claire robinson 2012-09-21 16:08:53 CEST 
I got a little bit further. Setting WEB_SERVICE_ENABLED to 1 in 
/etc/httpd/conf/webapps.d/ocsinventory-server.conf

It now gives a 500 error..

The server encountered an internal error and was unable to complete your request.

Error message:
Can't call method "handler" on an undefined value at /usr/lib/perl5/vendor_perl/5.12.3/Apache/Ocsinventory/SOAP.pm line 37. 

Googling the error I found http://forums.ocsinventory-ng.org/viewtopic.php?id=5134

It seems to say we need perl-XML-Entities and Apache2::SOAP but..

$ rpm -q perl-XML-Entities
package perl-XML-Entities is not installed

$  urpmq --whatprovides 'perl(Apache2::SOAP)'
No package named perl(Apache2::SOAP)
$  urpmq --whatprovides 'perl(Apache::SOAP)'
perl-SOAP-Lite

So maybe some missing requires here.
Comment 12 claire robinson 2012-09-21 16:16:18 CEST 
Installing perl-XML-Entities makes no difference.
claire robinson 2012-09-21 16:19:06 CEST

Whiteboard: (none) => feedback

Comment 13 Alfonso Vera 2012-09-21 17:46:34 CEST 
Hi Claire,
The security error is in ocsreports, install php-mbstring por view ocsreports,
I think this bug https://bugs.mageia.org/show_bug.cgi?id=7222 works in MGA1.
This SOAP error is minor.
http://forums.ocsinventory-ng.org/viewtopic.php?id=9102
Comment 14 claire robinson 2012-09-21 18:58:22 CEST 
Thanks for the response Alfonso.

As far as I can tell, you should be able to access localhost/ocsinventory but there are errors as above. Meaning the package is in effect broken, unless it is not supposed to be accessed this way? 

/etc/httpd/conf/webapps.d/ocsinventory-server.conf does seem to suggest it should be.


localhost/ocsinventory-reports is accessible though.
Comment 15 claire robinson 2012-09-21 19:57:11 CEST 
I think I may have been getting confused.

ocsinventory-agent is used to send data to oscinventory-server which is configured and monitored by ocsinventory-reports.

It's necessary to install ocsinventory-agent somewhere, which should then talk to the server. It is not a browser which connects to localhost/ocsinventory but the agent.

Marc is having more success with this than me today :)
Comment 16 Marc Lattemann 2012-09-21 20:29:51 CEST 
successfully tested with mga1 i586 using the PoC of description in Comment #9:

1. Installation of ocsinventory-server and ocsinventory-reports on mga1 as ocsinventory-server.

2. On Windows machine installed ocsinventory-agent. Changing description in settings to '<script>alert(String.fromCharCode(88,83,83))</script>' (refer to PoC) and send data to server on mga1.

3. going to http://IP-from-server/ocsinventory-reports/ and select details of the Windows machine

before update a pop-up with 'XSS' appears. After update '<script>alert(String.fromCharCode(88,83,83))</script>' will be displayed as Description

will now test mga1 x86_64.

Whiteboard: feedback => MGA1-32-OK

Comment 17 Marc Lattemann 2012-09-21 21:50:16 CEST 
successfully tested also on mga1 x86_64.

Update validated.

Please see Comment #8 for advisory and source rpm.
Could sysadmin please push from core/updates_testing to core/updates. 

Thank you.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: MGA1-32-OK => MGA1-32-OK, MGA1-64-OK

Comment 18 Thomas Backlund 2012-09-23 18:24:46 CEST 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0275

Status: ASSIGNED => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED