Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Vulnerability #494

Closed
mschop opened this issue Nov 11, 2018 · 9 comments
Closed

Security Vulnerability #494

mschop opened this issue Nov 11, 2018 · 9 comments
Milestone
35c3

Comments

@mschop
Copy link

mschop commented Nov 11, 2018

Hi,

I found a security vulnerability in engelsystem. How shall I provide more details?

Best Regards
mschop
@MyIgel
Copy link
Member

MyIgel commented Nov 11, 2018

Hi @mschop, afaik there is no explicit address for this, so you should write a Message to the contact@engelsystem.de and @msquare will answer you. Afaik he is busy atm so it would be nice if you could include me in the conversation too ;)

@msquare
Copy link
Member

msquare commented Nov 11, 2018

Hi, please provide the details per e-mail to contact@engelsystem.de - or directly to me msquare@notrademark.de.

Thank you!

@mschop
Copy link
Author

mschop commented Nov 13, 2018

CVE-2018-19182

@MyIgel
Copy link
Member

MyIgel commented Nov 13, 2018

-v?

@mschop
Copy link
Author

mschop commented Nov 13, 2018

??

MyIgel added a commit to MyIgel/engelsystem that referenced this issue Nov 20, 2018
@MyIgel
Require POST for sending forms
fa798c0 
* Ensure that the form is submitted with a post request
* Replaced several links with forms

Closes engelsystem#494 (Security Vulnerability)
@MyIgel MyIgel added this to the 35c3 milestone Nov 20, 2018
msquare pushed a commit to MyIgel/engelsystem that referenced this issue Nov 24, 2018
@MyIgel @msquare
Require POST for sending forms
2e28336 
* Ensure that the form is submitted with a post request
* Replaced several links with forms

Closes engelsystem#494 (Security Vulnerability)
@mschop
Copy link
Author

mschop commented Dec 22, 2018

@msquare is the fix already released?

@msquare
Copy link
Member

msquare commented Dec 22, 2018

Since the installation is still mostly done by cloning the repository, this may be seen as released, i guess.

@mschop
Copy link
Author

mschop commented Dec 22, 2018

@msquare Ok. Thanks. Then I publish the details right now for the CVE.

Those are the details regarding the security vulnerability:

There was no CSRF protection mechnism in engelsystem. This allowed attackers, to slip an user a spoofed request.

@msquare
Copy link
Member

msquare commented Dec 22, 2018

Yes, ok. Thank you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
35c3
Development

No branches or pull requests
3 participants
@msquare @MyIgel @mschop