Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 29 Aug 2016 16:31:50 -0700
From: Reed Loden <reed@...dloden.com>
To: dregad@...tisbt.org
Cc: oss-security@...ts.openwall.com
Subject: Re: Re: MantisBT weakened CSP when using bundled
 Gravatar plugin

Any reason why you don't just always use the https:// version for Gravatar
here? Why ever use http://? Even if the MantisBT install is on HTTP, best
to always load any third-party resources over TLS to better protect against
MITM.

Just surprised me to see this:
https://github.com/mantisbt/mantisbt/blob/b3511d2feb47eaee41feb5f69cf3c8a2c9acd229/plugins/Gravatar/Gravatar.php#L165-L169

~reed

On Mon, Aug 29, 2016 at 2:51 PM, <cve-assign@...re.org> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> > MantisBT 1.3.0-rc.2 introduced a new bundled plugin to handle display of
> > users' avatars using Gravatar.
> >
> > Instead of adding the Gravatar web site to the list of allowed image
> > sources in MantisBT's Content Security Policy, the plugin was replacing
> > the whole policy by:
> >
> >    img-src 'self' http://www.gravatar.com/
> >
> > instead of the more strict default one of:
> >
> >    default-src 'self'; frame-ancestors 'none'; style-src 'self';
> >    script-src 'self'
> >
> > Relaxed policy allows execution of remote and inline scripts, e.g.
> > potentially enabling XSS attacks.
> >
> > https://github.com/mantisbt/mantisbt/commit/
> b3511d2feb47eaee41feb5f69cf3c8a2c9acd229
> > https://mantisbt.org/bugs/view.php?id=21263
>
> Use CVE-2016-7111.
>
> - --
> CVE Assignment Team
> M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
> [ A PGP key is available for encrypted communications at
>   http://cve.mitre.org/cve/request_id.html ]
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
>
> iQIcBAEBCAAGBQJXxK4MAAoJEHb/MwWLVhi2p3EQAKULs3JDc49mBXeyVZ24IUoE
> 6iWcUGjwiE5cHXnAxcNKZZp7/xsFo9tgdLbLZ37x48kU1cwp/B/rnQQCWJHfUJxJ
> gR0qIutmEWCAq3nIVC0IR+tBm//0iiJuTuRhH/NjE9W4+EBPPjIHkkHxvnWLqyJo
> SWBP/JJDYbB8sQ366+WLrNHTdxK+keVcu406KrbagWhPaMG1C9QAkTeHRxovI/me
> JkbA3cVjfmO9BjHrAkbEYEJRU6Qxn8XsXUNW8bGoHBUt4WFON8BOGpt6Yyn1iDCs
> APOou4yZqMPM8jSnS8MOCM9POuuK8QNXMTLPgnMkxLcFntz79ogVmzJYfl6jyQ6V
> PW2dNtFU03QTI4nvL2UbVi1+oEbZycQbRnU0If7wHjedXIekFEX2uik0fAnJRwAk
> LDgT/+g6g02RJZPmteQFrT0ZtXav2rFiznHicL93mRLt1sOiE32ULJrQ8DLBP5SA
> EYitfKS09oBLDdSC5k+wogX22UgoFm4xZLrauVbRMKUApZNvKVSAADNewmRopXKR
> Fm2lDPJKmmb+oOWVBj7MDz7J9u1SvnyVieX+53E8Bt0tnr9KD5R61XNfjnKJtvZg
> +2l+S8HEUN3FdDz2WINbs9z1Sd5Fok9jc+TQXeIXR07jPC+MKE26zywhIiMYIfl/
> 2Rs4hh+EhmuT20OUq14x
> =U1Gg
> -----END PGP SIGNATURE-----
>

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ