Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 29 Apr 2015 18:33:43 -0400 (EDT)
From: cve-assign@...re.org
To: admin@...bh.am
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE request - TelescopeJS Information Leakage: User BCrypt password hash post-authentication

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> TelescopeJS leaks the users BCrypt password hash in incoming websocket
> messages once the user has authenticated. Due to the fact that TelescopeJS
> is an expressjs web application, it uses the model of storing session
> information in the browsers localStorage.
> 
> This means that if an attacker is able to find a single cross-site
> scripting flaw in MeteorJS, they would then be able to extract the users
> password hash from incoming websocket messages. This hash could then be
> cracked.
> 
> The bcrypt hash is sent in incoming websocket messages every time the user
> object is needed by the application.
> 
> This vulnerability affects TelescopeJS installations below version 0.15.
> 
> A discussion about these issues can be found here:
> https://github.com/TelescopeJS/Telescope/issues/838
> 
> The commits leading to the fix for this flaw can be found here:
> 
> https://github.com/TelescopeJS/Telescope/blob/dd6130637c00a8166cc4647153b441cb32b7ca61/lib/publications.js#L29-L31

In this case, it appears that a primary developer of TelescopeJS (the
person at the top of the GitHub contributors list) is indicating that
the previous behavior was unsafe:

  https://github.com/TelescopeJS/Telescope/issues/838#issuecomment-85762182

Use CVE-2015-3454.

(In other cases, it is possible that an issue exploitable only after
"find a single cross-site scripting flaw" would not have a CVE ID
assigned.)

Also, as suggested by the
https://github.com/TelescopeJS/Telescope/issues/838#issuecomment-85734879
comment, lack of the HTTPOnly flag is not relevant to this product. There
is no CVE ID for that HTTPOnly issue.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJVQVvJAAoJEKllVAevmvmsgP8H/AwdIXhHywd7hzcTswbNx1aJ
mJNAPXzix/1aMU2Ptj3BaUNazeEyb+6KprV4I7ob8mXw1IEus66YQhsrUfKX46XD
bIiZ1lNNDbZeOrmygP1t4P3F2gOYq3T20R16aDxuPsGCD9JXSJulxcjqsvvHWecy
Qq7GpjTg0jBCuLOjvTIldslH9QeL4sheGdPzo4RrP66tc67X//btJ78zvwx+5r8i
eAqjrreIiF3rFae0PJj9lwn5S6FSIe8cwvN+j2oF6AVfmbHg4Ueiw/ADJ8YSqpoa
2OOXl1IkpNmHn2L2HkOsaTZ4xu3bJSty0jLBGSmZW8WTpn7TmNO1IdbYmi4AQ1w=
=LWDM
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.