Debian Bug report logs - #554486
AST-2009-009: Cross-site AJAX request vulnerability

version graph

Package: asterisk; Maintainer for asterisk is Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>; Source for asterisk is src:asterisk.

Reported by: Mark Purcell <msp@debian.org>

Date: Wed, 4 Nov 2009 20:51:01 UTC

Severity: minor

Tags: security

Merged with 555220

Found in version asterisk/1:1.4.21.2~dfsg-3

Fixed in version 1:1.6.2.0~rc3-1

Done: Faidon Liambotis <paravoid@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>:
Bug#554486; Package asterisk. (Wed, 04 Nov 2009 20:51:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Mark Purcell <msp@debian.org>:
New Bug report received and forwarded. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>. (Wed, 04 Nov 2009 20:51:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Mark Purcell <msp@debian.org>
To: submit@bugs.debian.org
Subject: AST-2009-009: Cross-site AJAX request vulnerability
Date: Thu, 5 Nov 2009 07:36:46 +1100
[Message part 1 (text/plain, inline)]
Package: asterisk
Version: 1:1.4.21.2~dfsg-3
Severity: minor
Tags: security

----------  Forwarded Message  ----------

Subject: [asterisk-announce] AST-2009-009: Cross-site AJAX request vulnerability
Date: Thursday 05 November 2009
From: "Asterisk Security Team" <security@asterisk.org>
To: asterisk-announce@lists.digium.com

               Asterisk Project Security Advisory - AST-2009-009

   +------------------------------------------------------------------------+
   |       Product        | Asterisk                                        |
   |----------------------+-------------------------------------------------|
   |       Summary        | Cross-site AJAX request vulnerability           |
   |----------------------+-------------------------------------------------|
   |  Nature of Advisory  | Cross-site AJAX request exploitation            |
   |----------------------+-------------------------------------------------|
   |    Susceptibility    | Remote Unauthenticated Sessions                 |
   |----------------------+-------------------------------------------------|
   |       Severity       | Minor                                           |
   |----------------------+-------------------------------------------------|
   |    Exploits Known    | No                                              |
   |----------------------+-------------------------------------------------|
   |     Reported On      | October 26, 2009                                |
   |----------------------+-------------------------------------------------|
   |     Reported By      | issues.asterisk.org user jcollie                |
   |----------------------+-------------------------------------------------|
   |      Posted On       | November 4, 2009                                |
   |----------------------+-------------------------------------------------|
   |   Last Updated On    | November 4, 2009                                |
   |----------------------+-------------------------------------------------|
   |   Advisory Contact   | Joshua Colp <jcolp AT digium DOT com>           |
   |----------------------+-------------------------------------------------|
   |       CVE Name       | CVE-2008-7220                                   |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Description | Asterisk includes a demonstration AJAX based manager     |
   |             | interface, ajamdemo.html which uses the prototype.js     |
   |             | framework. An issue was uncovered in this framework      |
   |             | which could allow someone to execute a cross-site AJAX   |
   |             | request exploit.                                         |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Resolution | Upgrade to one of the versions below, or apply one of the |
   |            | patches specified in the Patches section.                 |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                           Affected Versions                            |
   |------------------------------------------------------------------------|
   |          Product           | Release |                                 |
   |                            | Series  |                                 |
   |----------------------------+---------+---------------------------------|
   |    Asterisk Open Source    |  1.2.x  | Unaffected                      |
   |----------------------------+---------+---------------------------------|
   |    Asterisk Open Source    |  1.4.x  | All versions prior to 1.4.26.3  |
   |----------------------------+---------+---------------------------------|
   |    Asterisk Open Source    | 1.6.0.x | All versions prior to 1.6.0.17  |
   |----------------------------+---------+---------------------------------|
   |    Asterisk Open Source    | 1.6.1.x | All versions prior to 1.6.1.9   |
   |----------------------------+---------+---------------------------------|
   |      Asterisk Addons       |  1.2.x  | Unaffected                      |
   |----------------------------+---------+---------------------------------|
   |      Asterisk Addons       |  1.4.x  | Unaffected                      |
   |----------------------------+---------+---------------------------------|
   |      Asterisk Addons       |  1.6.x  | Unaffected                      |
   |----------------------------+---------+---------------------------------|
   | Asterisk Business Edition  |  A.x.x  | Unaffected                      |
   |----------------------------+---------+---------------------------------|
   | Asterisk Business Edition  |  B.x.x  | All versions prior to B.2.5.12  |
   |----------------------------+---------+---------------------------------|
   | Asterisk Business Edition  |  C.x.x  | All versions prior to C.2.4.5   |
   |                            |         | and C.3.2.2                     |
   |----------------------------+---------+---------------------------------|
   |        AsteriskNOW         |   1.5   | All versions                    |
   |----------------------------+---------+---------------------------------|
   | s800i (Asterisk Appliance) |  1.2.x  | Unaffected                      |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                              Corrected In                              |
   |------------------------------------------------------------------------|
   |                  Product                   |          Release          |
   |--------------------------------------------+---------------------------|
   |            Asterisk Open Source            |         1.4.26.3          |
   |--------------------------------------------+---------------------------|
   |            Asterisk Open Source            |         1.6.0.17          |
   |--------------------------------------------+---------------------------|
   |            Asterisk Open Source            |          1.6.1.9          |
   |--------------------------------------------+---------------------------|
   |         Asterisk Business Edition          |         B.2.5.12          |
   |--------------------------------------------+---------------------------|
   |         Asterisk Business Edition          |          C.2.4.5          |
   |--------------------------------------------+---------------------------|
   |         Asterisk Business Edition          |          C.3.2.2          |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                                Patches                                 |
   |------------------------------------------------------------------------|
   |                            SVN URL                            |Revision|
   |---------------------------------------------------------------+--------|
   |http://downloads.digium.com/pub/asa/AST-2009-009-1.4.diff.txt  |1.4     |
   |---------------------------------------------------------------+--------|
   |http://downloads.digium.com/pub/asa/AST-2009-009-1.6.0.diff.txt|1.6.0   |
   |---------------------------------------------------------------+--------|
   |http://downloads.digium.com/pub/asa/AST-2009-009-1.6.1.diff.txt|1.6.1   |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |     Links      | https://issues.asterisk.org/view.php?id=16139         |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Asterisk Project Security Advisories are posted at                     |
   | http://www.asterisk.org/security                                       |
   |                                                                        |
   | This document may be superseded by later versions; if so, the latest   |
   | version will be posted at                                              |
   | http://downloads.digium.com/pub/security/AST-2009-009.pdf and          |
   | http://downloads.digium.com/pub/security/AST-2009-009.html             |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                            Revision History                            |
   |------------------------------------------------------------------------|
   |         Date          |      Editor       |       Revisions Made       |
   |-----------------------+-------------------+----------------------------|
   | October 29, 2009      | Joshua Colp       | Initial release            |
   +------------------------------------------------------------------------+

               Asterisk Project Security Advisory - AST-2009-009
              Copyright (c) 2009 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.

[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>:
Bug#554486; Package asterisk. (Wed, 04 Nov 2009 21:15:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Faidon Liambotis <paravoid@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>. (Wed, 04 Nov 2009 21:15:03 GMT) Full text and rfc822 format available.

Message #10 received at 554486@bugs.debian.org (full text, mbox):

From: Faidon Liambotis <paravoid@debian.org>
To: security@debian.org
Cc: 554487@bugs.debian.org, 554486@bugs.debian.org
Subject: New asterisk vulnerabilities
Date: Wed, 04 Nov 2009 23:09:48 +0200
Security Team, hi,

Two new asterisk vulnerabilities were announced today, affecting lenny
and unstable; the first one affects also etch.

http://downloads.asterisk.org/pub/security/AST-2009-008.html
http://downloads.asterisk.org/pub/security/AST-2009-009.html

No CVE numbers yet.

These are tracked in Debian BTS as #554487 and #554486, respectively.

My opinion is that these are relatively minor. My plan is:
- for lenny, fixing them in an s-p-u upload (along with some other
  stacked up fixes)
- for sid, fixing them with the next upload, whenever is that,
- for etch, not fixing them but announce an EoL of its security support
  due to other vulnerabilities, as previously agreed with Moritz.

Let me know if you disagree with any of the above.

Thanks,
Faidon




Reply sent to Faidon Liambotis <paravoid@debian.org>:
You have taken responsibility. (Sat, 07 Nov 2009 04:12:04 GMT) Full text and rfc822 format available.

Notification sent to Mark Purcell <msp@debian.org>:
Bug acknowledged by developer. (Sat, 07 Nov 2009 04:12:04 GMT) Full text and rfc822 format available.

Message #15 received at 554486-done@bugs.debian.org (full text, mbox):

From: Faidon Liambotis <paravoid@debian.org>
To: 554486-done@bugs.debian.org
Subject: Re: Bug#554486: AST-2009-009: Cross-site AJAX request vulnerability
Date: Sat, 07 Nov 2009 05:37:31 +0200
Version: 1:1.6.2.0~rc3-1

Mark Purcell wrote:
>    | Description | Asterisk includes a demonstration AJAX based manager     |
>    |             | interface, ajamdemo.html which uses the prototype.js     |
>    |             | framework. An issue was uncovered in this framework      |
>    |             | which could allow someone to execute a cross-site AJAX   |
>    |             | request exploit.                                         |
We stopped shipping the demo web interface (partly because of the
prototype vulnerability) in 1:1.6.2.0~rc3-1.

Closing this for unstable.

Regards,
Faidon




Information forwarded to debian-bugs-dist@lists.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>:
Bug#554486; Package asterisk. (Sat, 07 Nov 2009 17:39:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>. (Sat, 07 Nov 2009 17:39:08 GMT) Full text and rfc822 format available.

Message #20 received at 554486@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Faidon Liambotis <paravoid@debian.org>
Cc: security@debian.org, 554487@bugs.debian.org, 554486@bugs.debian.org
Subject: Re: New asterisk vulnerabilities
Date: Sat, 7 Nov 2009 18:15:55 +0100
On Wed, Nov 04, 2009 at 11:09:48PM +0200, Faidon Liambotis wrote:
> Security Team, hi,
> 
> Two new asterisk vulnerabilities were announced today, affecting lenny
> and unstable; the first one affects also etch.
> 
> http://downloads.asterisk.org/pub/security/AST-2009-008.html
> http://downloads.asterisk.org/pub/security/AST-2009-009.html
> 
> No CVE numbers yet.

AST-2009-008 is CVE-2009-3727, the ID for AST-2009-008 in the advisory
is wrong/duped.

> These are tracked in Debian BTS as #554487 and #554486, respectively.
> 
> My opinion is that these are relatively minor. My plan is:
> - for lenny, fixing them in an s-p-u upload (along with some other
>   stacked up fixes)
> - for sid, fixing them with the next upload, whenever is that,
> - for etch, not fixing them but announce an EoL of its security support
>   due to other vulnerabilities, as previously agreed with Moritz.
> 
> Let me know if you disagree with any of the above.

Agreed and added to the Security Tracker.

Cheers,
        Moritz




Information forwarded to debian-bugs-dist@lists.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>:
Bug#554486; Package asterisk. (Sun, 08 Nov 2009 19:57:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>. (Sun, 08 Nov 2009 19:57:03 GMT) Full text and rfc822 format available.

Message #25 received at 554486@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Faidon Liambotis <paravoid@debian.org>
Cc: security@debian.org, 554487@bugs.debian.org, 554486@bugs.debian.org
Subject: Re: New asterisk vulnerabilities
Date: Sun, 8 Nov 2009 20:53:40 +0100
On Wed, Nov 04, 2009 at 11:09:48PM +0200, Faidon Liambotis wrote:
> Security Team, hi,
> 
> Two new asterisk vulnerabilities were announced today, affecting lenny
> and unstable; the first one affects also etch.
> 
> http://downloads.asterisk.org/pub/security/AST-2009-008.html
> http://downloads.asterisk.org/pub/security/AST-2009-009.html

This one is about a prototypejs issue, which is included in
Asterisk and which was fixed in the prototypejs Debian package
in 1.6.0.2-1. Since the code was removed since 1:1.6.2.0~rc3-1,
it should already be fixed, am I correct?

Cheers,
       Moritz




Information forwarded to debian-bugs-dist@lists.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>:
Bug#554486; Package asterisk. (Sun, 08 Nov 2009 20:42:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Faidon Liambotis <paravoid@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>. (Sun, 08 Nov 2009 20:42:06 GMT) Full text and rfc822 format available.

Message #30 received at 554486@bugs.debian.org (full text, mbox):

From: Faidon Liambotis <paravoid@debian.org>
To: Moritz Muehlenhoff <jmm@inutil.org>
Cc: security@debian.org, 554487@bugs.debian.org, 554486@bugs.debian.org
Subject: Re: New asterisk vulnerabilities
Date: Sun, 08 Nov 2009 22:06:30 +0200
Moritz Muehlenhoff wrote:
> On Wed, Nov 04, 2009 at 11:09:48PM +0200, Faidon Liambotis wrote:
>> Security Team, hi,
>>
>> Two new asterisk vulnerabilities were announced today, affecting lenny
>> and unstable; the first one affects also etch.
>>
>> http://downloads.asterisk.org/pub/security/AST-2009-008.html
>> http://downloads.asterisk.org/pub/security/AST-2009-009.html
> 
> This one is about a prototypejs issue, which is included in
> Asterisk and which was fixed in the prototypejs Debian package
> in 1.6.0.2-1. Since the code was removed since 1:1.6.2.0~rc3-1,
> it should already be fixed, am I correct?
Yes, it is mentioned in the 1:1.6.2.0~rc3-1 changelog:

* Stop shipping old static-http code in examples. Among other things, it
  includes a vulnerable version of the prototype Javascript library.

I've the same change on the lenny upload I'm preparing although I'm less
than happy with the fact that users that have already copied this from
examples to their web root will still be vulnerable.

Thanks,
Faidon




Forcibly Merged 554486 555220. Request was from Faidon Liambotis <paravoid@debian.org> to control@bugs.debian.org. (Mon, 09 Nov 2009 00:42:28 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 11 Dec 2009 07:30:19 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 08:46:09 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.