Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 27 Jul 2013 13:09:37 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Evan Teitelman <teitelmanevan@...il.com>, scottydroid@...il.com,
        "Steven M. Christey" <coley@...us.mitre.org>
Subject: Re: CVE Request - Coin Widget serves code over plain
 http.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/26/2013 07:19 PM, Evan Teitelman wrote:
> Coin Widget is a Bitcoin and Lightcoin donation widget. Its code
> is normally downloaded from http://coinwidget.com/widget/coin.js in
> the following manner.
> 
> <script src="http://coinwidget.com/widget/coin.js"></script> 
> <script> CoinWidgetCom.go({ wallet_address:
> "31uEbMgunupShBVTewXjtqbBv5MndwfXhb" , currency: "bitcoin" ,
> counter: "count" , alignment: "bl" , qrcode: true , auto_show:
> false , lbl_button: "Donate" , lbl_address: "My Bitcoin Address:" ,
> lbl_count: "donations" , lbl_amount: "BTC" }); </script>
> 
> Without SSL or similar protection, it is possible for the code to
> be modified in transit. A malicious individual could modify the
> code to replace a legitimate wallet address with his or her own.

I also tried "https://coinwidget.com/widget/coin.js" and it failed
(you can telnet to the port, it's open, but I got an SSL error). If
you try
"https://www.ssllabs.com/ssltest/analyze.html?d=coinwidget.com+"
you'll see the same.

> I believe this vulnerability is an example of CWE-300. Does it need
> a CVE identifier?

The problem is not in the code, the problem is in how the code is
served/distributed. CVE is traditionally for software and not for
services. So under a simplistic reading of that strict definition I
would say this doesn't deserve a CVE.

However the world is changing, for example a program that included an
auto-updater component that was advertised as being "Secure" but went
over HTTP would probably qualify for a CVE.

Steve I'm bouncing this to you, I'm inclined to NOT assign a CVE since
it opens up a huge can of worms (every single bit of JavaScript served
from HTTP and not available via HTTPS ever), but I can also see how it
should maybe get a CVE.

The good news is that future versions of Firefox are implementing a
security policy that when loading a page from HTTPS they will not load
page components from HTTP, which would fix this issue. Hopefully all
the browsers do this.

> 
> I have copied the creator of Coin Widget on this email.
> 
> Thank you for your time, Evan Teitelman.
> 


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJR9BrxAAoJEBYNRVNeJnmTzSUP/2cz0J2eI0lA9z3JWVl0VUy1
9xiS+SUxFTpmim+bAEg7glaJuMmYdXqXrSGgeujGNlS/Fwz4pkO/FcKbfg/SzxaE
pVjhMQSni6hMfsos18Zsh6V9FE7gyvsiFULFYD3MQErSsXwbXlNO7iQcaxPo1oFI
X7I6fibNNb1dlHIgUcZA2dfj3MUDl2l31TgmPyWyO2KRYadz7z0Yw6xNTV1CsbBT
Ppig53utesTkoiRd+Oym6u0HSjr5PN8SjFO7qSHV5h8Cdd0Q7+mHcBsg6C76Cixa
+eAuFpdC9CbyXgXtXuepbSCK9YlM6tyW3Acl1V16XM0pyI0GDGmdzfqsZHb3hwzg
hKxqNLrYf7PAgDkz8wPHdWn6M2ENnkNmHOKxlQiLWBAiP3Zjx7KoGphRfFxG0cox
FY2FeteiGRt1J7UfTApJkXlFgTcYfn1UtGFtqBeMj3JqSsCvBx9z5fJqCbDwTV2F
qwZkyURHdEYyOj4S35oQ/pgabV6XpmO9m/PMr43BnL6qStV+DJzXLedNIBVbV+XU
amPT15MOjWkwFVCU5oGakz0hIkMSDli6Z/tCOA2gXxZQ/kI606P6HymD9pGfw8nW
9bTQRTHdJfkDCOu65V3Tj8vUO2zQ+kD76iLKXIy8GkhPV2Uer7FHW22fB5uxgQit
fcouWuyRDV85m0MQNEYH
=S3oH
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.