Mandriva issued this advisory on Wednesday (April 4): http://www.mandriva.com/en/support/security/advisories/?dis=mes5&name=MDVSA-2012:053 Cauldron is not vulnerable. You could patch it, or just update to the newest version, as was requested in Bug 2129.
CC: (none) => mageia
CC: (none) => guillomovitch
CC: guillomovitch => (none)
CC: (none) => pterjan
Also see https://bugs.mageia.org/show_bug.cgi?id=5063#c21
CC: (none) => davidwhodgins
This is only valid for mga 1, according to the Mandriva advisory, version 2.0.1 and earlier are vulnerable, we have 2.0.4 on mga 2 and we are on the process of updating to the latest 2.0.5 on cauldron (agent ready) with one of my apprentices.
CC: (none) => juan.baptiste
CC: (none) => bersuit.vera
Yes, that's correct. This bug is for Mageia 1.
I am working to patch the security issue
Status: NEW => ASSIGNEDAssignee: bugsquad => bersuit.vera
I have pushed to mga 1 core/updates_testing a patched version done by Alfonso: ocsinventory-1.3.3-1.1.mga1, reassigning to QA. Alfonso, don't forget to write the advisory, you can base on Mandriva's one.
Assignee: bersuit.vera => bugsquad
Assignee: bugsquad => qa-bugs
Packages built by this SRPM: ocsinventory-server-1.3.3-1.1.mga1 ocsinventory-reports-1.3.3-1.1.mga1
Juan, Alfonso, what about the issue Dave mentioned in Comment 1?
Suggested advisory: ======================== A vulnerability has been found and corrected in ocsinventory: Cross-site scripting (XSS) vulnerability in ocsinventory in OCS Inventory NG 2.0.1 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors (CVE-2011-4024). The updated packages have been patched to correct this issue. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4024 ======================== Updated packages in {core,tainted,nonfree}/updates_testing: ======================== ocsinventory-server-1.3.3-1.1.mga1 ocsinventory-reports-1.3.3-1.1.mga1 Source RPM: ocsinventory-1.3.3-1.1.mga1.src.rpm
PoC @ http://www.exploit-db.com/exploits/18005/
I'm having problems getting ocsinventory-server working to test the PoC. Browsing to localhost/ocsinventory gives a Bad Request 400 error In apache error log I see.. ocsinventory-server: Can't load SOAP::Transport::HTTP* - Web service will be unavailable $ urpmq --whatprovides 'perl(SOAP::Transport::HTTP)' perl-SOAP-Lite $ rpm -q perl-SOAP-Lite perl-SOAP-Lite-0.712.0-1.mga1 Looking in /etc/httpd/conf/webapps.d/ocsinventory-server.conf I think it is missing ::SOAP from.. PerlHandler Apache::Ocsinventory Adding it so that it reads.. PerlHandler Apache::Ocsinventory::SOAP and restarting apache, it now gives a 403 Access Forbidden error Not sure where to go from here. Any pointers? Also, ocsinventory-reports complains of missing php-gd
I got a little bit further. Setting WEB_SERVICE_ENABLED to 1 in /etc/httpd/conf/webapps.d/ocsinventory-server.conf It now gives a 500 error.. The server encountered an internal error and was unable to complete your request. Error message: Can't call method "handler" on an undefined value at /usr/lib/perl5/vendor_perl/5.12.3/Apache/Ocsinventory/SOAP.pm line 37. Googling the error I found http://forums.ocsinventory-ng.org/viewtopic.php?id=5134 It seems to say we need perl-XML-Entities and Apache2::SOAP but.. $ rpm -q perl-XML-Entities package perl-XML-Entities is not installed $ urpmq --whatprovides 'perl(Apache2::SOAP)' No package named perl(Apache2::SOAP) $ urpmq --whatprovides 'perl(Apache::SOAP)' perl-SOAP-Lite So maybe some missing requires here.
Installing perl-XML-Entities makes no difference.
Whiteboard: (none) => feedback
Hi Claire, The security error is in ocsreports, install php-mbstring por view ocsreports, I think this bug https://bugs.mageia.org/show_bug.cgi?id=7222 works in MGA1. This SOAP error is minor. http://forums.ocsinventory-ng.org/viewtopic.php?id=9102
Thanks for the response Alfonso. As far as I can tell, you should be able to access localhost/ocsinventory but there are errors as above. Meaning the package is in effect broken, unless it is not supposed to be accessed this way? /etc/httpd/conf/webapps.d/ocsinventory-server.conf does seem to suggest it should be. localhost/ocsinventory-reports is accessible though.
I think I may have been getting confused. ocsinventory-agent is used to send data to oscinventory-server which is configured and monitored by ocsinventory-reports. It's necessary to install ocsinventory-agent somewhere, which should then talk to the server. It is not a browser which connects to localhost/ocsinventory but the agent. Marc is having more success with this than me today :)
successfully tested with mga1 i586 using the PoC of description in Comment #9: 1. Installation of ocsinventory-server and ocsinventory-reports on mga1 as ocsinventory-server. 2. On Windows machine installed ocsinventory-agent. Changing description in settings to '<script>alert(String.fromCharCode(88,83,83))</script>' (refer to PoC) and send data to server on mga1. 3. going to http://IP-from-server/ocsinventory-reports/ and select details of the Windows machine before update a pop-up with 'XSS' appears. After update '<script>alert(String.fromCharCode(88,83,83))</script>' will be displayed as Description will now test mga1 x86_64.
Whiteboard: feedback => MGA1-32-OK
successfully tested also on mga1 x86_64. Update validated. Please see Comment #8 for advisory and source rpm. Could sysadmin please push from core/updates_testing to core/updates. Thank you.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: MGA1-32-OK => MGA1-32-OK, MGA1-64-OK
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0275
Status: ASSIGNED => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED