Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20151012161612.5FE516C04EF@smtpvmsrv1.mitre.org>
Date: Mon, 12 Oct 2015 12:16:12 -0400 (EDT)
From: cve-assign@...re.org
To: nathan.van.gheem@...ne.org
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE Request: Plone CSRF

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> Can a CVE be assigned to this issue, please?
> 
>    https://plone.org/security/20151006/multiple-csrf-vulnerabilities-in-zope
>    https://plone.org/products/plone/security/advisories/security-vulnerability-20151006-csrf
> 
> Plone is built on the Zope2 application framework. In the Zope2 application
> framework, there are multiple CSRF vulnerabilities. The latest version of
> Plone has automatic CSRF protection integrated at the database layer. This
> patch basically backports the latest automatically CSRF infrastructure to
> Plone 4.x.

The vulnerability information can be covered in CVE; however, we do
not really understand why it is being presented in this way.

https://github.com/plone/plone4.csrffixes says "there are a lot of
CSRF problem with the ZMI that Zope2 will never be able to fix." It
seems that, normally, if one or more persons had discovered CSRF
problems in Zope2, then they could have CVE IDs for their discoveries.
Why is this a "never be able to fix" situation? Is there, more or
less, a requirement that Zope2 allow arbitrary requests from clients
that have never previously read the content of any web page, because
of the variety of ways that Zope2 is used? In that situation, the
request behavior of Zope2 would not necessarily be considered a Zope2
vulnerability.

Also, a separate issue is that the CVE request is specifically about
backporting. It seems that, at some time in the past, the possibility
of CSRF attacks against default Plone sites was identified and this
motivated the development of auto CSRF protection in Plone 5.
Normally, an assignment of a CVE ID or IDs would be associated with
the original discovery, not a later backporting of fixes. Are these
equivalent in this case: for example, were all of the CSRF attack
possibilities against default Plone sites discovered by Plone
Foundation contributors, and security-vulnerability-20151006-csrf is
the first general public announcement that these CSRF issues existed
at all?

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWG9wmAAoJEL54rhJi8gl5n6oQAKXuzwqb4bmBs4K5NhpJ4NtI
d37u737MsJSGLLtXGlrupC2XDwq/LuSN80SmOQVYnPn4EU4SU+17bvwjOP30LECD
DJMt7m10LuGjamyrbFGfALzXh0iPkZHoUN289c+oQZN9P8pdVlVfZlVrgZP2KPQk
3MbELeGrh0NogA2+yRFAdufKQovo4cnyQuHsxqpV/7Mv+YJwlFInhJVcrI35F5TF
R3sDKoIkjMXicPRA9+9dZYnTeNmypGVhuBUhG6UwW+Ob4dlR6fAyMH6NV+977r+5
9DnDsyHQ+6axYqNT/+4kY1tXHi9dXvhSoV71OGtcMODknD7RyiVdF1DpuJl7PP7Y
u+TaqrN7A7x5kalSCspLYsYlvciyIXURJv32ZANVeT/67mEqnWky7ZnoUrssPqzf
FIgqAM1MUPD9KT+P9zDoiG0oFfVKpu9EqLlo372pyw+nVn/2U0fPdGzKro+kOZGQ
CU+wxdFX2xwZTAsP1JXzHBoHEY0Q/i+GSAlqHvNuILlLgdypPS9YxiCNc0pVmsBE
2HRxNoZAWBhiAD/B/nEFjNyvi6yGzz35QNhaYGeMQpVrlDh65BNt3wT+pkCxB/tr
W7ZbRsu4DBxt/yyVy9FqOdw0eIqo2beplKxVWHjbAIKapQjCyJ0VXD887CBw7AlC
uVpQbre4M9bmYXVg95Bz
=tvlJ
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.