Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 12 Oct 2015 12:04:40 -0500
From: Nathan Van Gheem <nathan.van.gheem@...ne.org>
To: cve-assign@...re.org
Cc: oss-security@...ts.openwall.com
Subject: Re: CVE Request: Plone CSRF

On Mon, Oct 12, 2015 at 11:16 AM, <cve-assign@...re.org> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> > Can a CVE be assigned to this issue, please?
> >
> >
> https://plone.org/security/20151006/multiple-csrf-vulnerabilities-in-zope
> >
> https://plone.org/products/plone/security/advisories/security-vulnerability-20151006-csrf
> >
> > Plone is built on the Zope2 application framework. In the Zope2
> application
> > framework, there are multiple CSRF vulnerabilities. The latest version of
> > Plone has automatic CSRF protection integrated at the database layer.
> This
> > patch basically backports the latest automatically CSRF infrastructure to
> > Plone 4.x.
>
> The vulnerability information can be covered in CVE; however, we do
> not really understand why it is being presented in this way.
>
> https://github.com/plone/plone4.csrffixes says "there are a lot of
> CSRF problem with the ZMI that Zope2 will never be able to fix." It
> seems that, normally, if one or more persons had discovered CSRF
> problems in Zope2, then they could have CVE IDs for their discoveries.
>
We have one person who discovered and submitted a vulnerability. On further
investigation by the security team, more vulnerabilities were found.

There are no CVEs. The backport is of the technology to protect all
functionality, along with addons of the CMS.


> Why is this a "never be able to fix" situation? Is there, more or
> less, a requirement that Zope2 allow arbitrary requests from clients
> that have never previously read the content of any web page, because
> of the variety of ways that Zope2 is used? In that situation, the
> request behavior of Zope2 would not necessarily be considered a Zope2
> vulnerability.
>
Zope2 development is dead. They do not have the people to address the
problem and aren't very interested in it(we've tried coordinating). It is a
Zope2 issue vulnerability. Plone will likely be forking...


>
> Also, a separate issue is that the CVE request is specifically about
> backporting. It seems that, at some time in the past, the possibility
> of CSRF attacks against default Plone sites was identified and this
> motivated the development of auto CSRF protection in Plone 5.
> Normally, an assignment of a CVE ID or IDs would be associated with
> the original discovery, not a later backporting of fixes. Are these
> equivalent in this case: for example, were all of the CSRF attack
> possibilities against default Plone sites discovered by Plone
> Foundation contributors, and security-vulnerability-20151006-csrf is
> the first general public announcement that these CSRF issues existed
> at all?
>
There are no other previously known unpatched CSRF vulnerabilities this is
backporting. After testing, we knew that our automatic CSRF protection also
addressed the reported CSRF issue.

security-vulnerability-20151006-csrf is the first public announcement that
Zope2 is mostly unprotected. Zope2 has a collection of management
interfaces, many of which are vulnerable.


>
> - --
> CVE assignment team, MITRE CVE Numbering Authority
> M/S M300
> 202 Burlington Road, Bedford, MA 01730 USA
> [ PGP key available through http://cve.mitre.org/cve/request_id.html ]
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
>
> iQIcBAEBCAAGBQJWG9wmAAoJEL54rhJi8gl5n6oQAKXuzwqb4bmBs4K5NhpJ4NtI
> d37u737MsJSGLLtXGlrupC2XDwq/LuSN80SmOQVYnPn4EU4SU+17bvwjOP30LECD
> DJMt7m10LuGjamyrbFGfALzXh0iPkZHoUN289c+oQZN9P8pdVlVfZlVrgZP2KPQk
> 3MbELeGrh0NogA2+yRFAdufKQovo4cnyQuHsxqpV/7Mv+YJwlFInhJVcrI35F5TF
> R3sDKoIkjMXicPRA9+9dZYnTeNmypGVhuBUhG6UwW+Ob4dlR6fAyMH6NV+977r+5
> 9DnDsyHQ+6axYqNT/+4kY1tXHi9dXvhSoV71OGtcMODknD7RyiVdF1DpuJl7PP7Y
> u+TaqrN7A7x5kalSCspLYsYlvciyIXURJv32ZANVeT/67mEqnWky7ZnoUrssPqzf
> FIgqAM1MUPD9KT+P9zDoiG0oFfVKpu9EqLlo372pyw+nVn/2U0fPdGzKro+kOZGQ
> CU+wxdFX2xwZTAsP1JXzHBoHEY0Q/i+GSAlqHvNuILlLgdypPS9YxiCNc0pVmsBE
> 2HRxNoZAWBhiAD/B/nEFjNyvi6yGzz35QNhaYGeMQpVrlDh65BNt3wT+pkCxB/tr
> W7ZbRsu4DBxt/yyVy9FqOdw0eIqo2beplKxVWHjbAIKapQjCyJ0VXD887CBw7AlC
> uVpQbre4M9bmYXVg95Bz
> =tvlJ
> -----END PGP SIGNATURE-----
>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.