Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 2 Aug 2014 21:07:23 +0400
From: gremlin@...mlin.ru
To: oss-security@...ts.openwall.com
Subject: Re: CVE Request: Enforce use of HTTPS for MathJax in IPython

On 31-Jul-2014 23:23:18 -0500, Kyle Kelley wrote:

 > Summary: When using the IPython notebook without encryption
 > (i.e. running the server on HTTP instead of HTTPS), mathjax is
 > loaded over HTTP. An attacker with fortuitous network position
 > could execute code on a local IPython notebook by modifying the
 > mathjax javascript.

HTTPS wouldn't help much: the attackers (most of which are known to
use 3-letter names) can (and they really do) issue a fake certificate
for their decoy servers.

In general, nothing received from the Net could be trusted. And the
HTTPS doesn't guarantee anything beyond "this certificate was signed
by this CA" - was that voluntary or forced.

Enforcing HTTPS for the whole site is even more stupid: normally only
user-specific data (login procedure, personal settings for registered
users, etc) should be forced to go through HTTPS; everything else
should normally be left up to the users' wish.

But the terminal state of mental disability is... yes, using scripts
from outer sources: intercepting one popular source like
https://ajax.googleapis.com/ajax/libs/jquery/*/jquery.min.js will
allow the attacker to not bother of intercepting other sites directly.

 > This issue was fixed in the git master branch (development branch
 > for upcoming v. 2.2) with commit cf793ebc4, on 7/31/2014:

Not a vulnerability, not a fix.


-- 
Alexey V. Vissarionov aka Gremlin from Kremlin <gremlin ПРИ gremlin ТЧК ru>
GPG: 8832FE9FA791F7968AC96E4E909DAC45EF3B1FA8 @ hkp://keys.gnupg.net

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ