Date: Mon, 12 Oct 2015 12:04:40 -0500 From: Nathan Van Gheem <nathan.van.gheem@...ne.org> To: cve-assign@...re.org Cc: oss-security@...ts.openwall.com Subject: Re: CVE Request: Plone CSRF On Mon, Oct 12, 2015 at 11:16 AM, <cve-assign@...re.org> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > > Can a CVE be assigned to this issue, please? > > > > > https://plone.org/security/20151006/multiple-csrf-vulnerabilities-in-zope > > > https://plone.org/products/plone/security/advisories/security-vulnerability-20151006-csrf > > > > Plone is built on the Zope2 application framework. In the Zope2 > application > > framework, there are multiple CSRF vulnerabilities. The latest version of > > Plone has automatic CSRF protection integrated at the database layer. > This > > patch basically backports the latest automatically CSRF infrastructure to > > Plone 4.x. > > The vulnerability information can be covered in CVE; however, we do > not really understand why it is being presented in this way. > > https://github.com/plone/plone4.csrffixes says "there are a lot of > CSRF problem with the ZMI that Zope2 will never be able to fix." It > seems that, normally, if one or more persons had discovered CSRF > problems in Zope2, then they could have CVE IDs for their discoveries. > We have one person who discovered and submitted a vulnerability. On further investigation by the security team, more vulnerabilities were found. There are no CVEs. The backport is of the technology to protect all functionality, along with addons of the CMS. > Why is this a "never be able to fix" situation? Is there, more or > less, a requirement that Zope2 allow arbitrary requests from clients > that have never previously read the content of any web page, because > of the variety of ways that Zope2 is used? In that situation, the > request behavior of Zope2 would not necessarily be considered a Zope2 > vulnerability. > Zope2 development is dead. They do not have the people to address the problem and aren't very interested in it(we've tried coordinating). It is a Zope2 issue vulnerability. Plone will likely be forking... > > Also, a separate issue is that the CVE request is specifically about > backporting. It seems that, at some time in the past, the possibility > of CSRF attacks against default Plone sites was identified and this > motivated the development of auto CSRF protection in Plone 5. > Normally, an assignment of a CVE ID or IDs would be associated with > the original discovery, not a later backporting of fixes. Are these > equivalent in this case: for example, were all of the CSRF attack > possibilities against default Plone sites discovered by Plone > Foundation contributors, and security-vulnerability-20151006-csrf is > the first general public announcement that these CSRF issues existed > at all? > There are no other previously known unpatched CSRF vulnerabilities this is backporting. After testing, we knew that our automatic CSRF protection also addressed the reported CSRF issue. security-vulnerability-20151006-csrf is the first public announcement that Zope2 is mostly unprotected. Zope2 has a collection of management interfaces, many of which are vulnerable. > > - -- > CVE assignment team, MITRE CVE Numbering Authority > M/S M300 > 202 Burlington Road, Bedford, MA 01730 USA > [ PGP key available through http://cve.mitre.org/cve/request_id.html ] > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > > iQIcBAEBCAAGBQJWG9wmAAoJEL54rhJi8gl5n6oQAKXuzwqb4bmBs4K5NhpJ4NtI > d37u737MsJSGLLtXGlrupC2XDwq/LuSN80SmOQVYnPn4EU4SU+17bvwjOP30LECD > DJMt7m10LuGjamyrbFGfALzXh0iPkZHoUN289c+oQZN9P8pdVlVfZlVrgZP2KPQk > 3MbELeGrh0NogA2+yRFAdufKQovo4cnyQuHsxqpV/7Mv+YJwlFInhJVcrI35F5TF > R3sDKoIkjMXicPRA9+9dZYnTeNmypGVhuBUhG6UwW+Ob4dlR6fAyMH6NV+977r+5 > 9DnDsyHQ+6axYqNT/+4kY1tXHi9dXvhSoV71OGtcMODknD7RyiVdF1DpuJl7PP7Y > u+TaqrN7A7x5kalSCspLYsYlvciyIXURJv32ZANVeT/67mEqnWky7ZnoUrssPqzf > FIgqAM1MUPD9KT+P9zDoiG0oFfVKpu9EqLlo372pyw+nVn/2U0fPdGzKro+kOZGQ > CU+wxdFX2xwZTAsP1JXzHBoHEY0Q/i+GSAlqHvNuILlLgdypPS9YxiCNc0pVmsBE > 2HRxNoZAWBhiAD/B/nEFjNyvi6yGzz35QNhaYGeMQpVrlDh65BNt3wT+pkCxB/tr > W7ZbRsu4DBxt/yyVy9FqOdw0eIqo2beplKxVWHjbAIKapQjCyJ0VXD887CBw7AlC > uVpQbre4M9bmYXVg95Bz > =tvlJ > -----END PGP SIGNATURE----- >
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ