New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security Vulnerability #494

Closed
mschop opened this Issue Nov 11, 2018 · 9 comments

Comments

Projects
None yet
3 participants
@mschop
Copy link

mschop commented Nov 11, 2018

Hi,

I found a security vulnerability in engelsystem. How shall I provide more details?

Best Regards
mschop

@MyIgel

This comment has been minimized.

Copy link
Collaborator

MyIgel commented Nov 11, 2018

Hi @mschop, afaik there is no explicit address for this, so you should write a Message to the contact@engelsystem.de and @msquare will answer you. Afaik he is busy atm so it would be nice if you could include me in the conversation too ;)

@msquare

This comment has been minimized.

Copy link
Member

msquare commented Nov 11, 2018

Hi, please provide the details per e-mail to contact@engelsystem.de - or directly to me msquare@notrademark.de.

Thank you!

@mschop

This comment has been minimized.

Copy link

mschop commented Nov 13, 2018

CVE-2018-19182

@MyIgel

This comment has been minimized.

Copy link
Collaborator

MyIgel commented Nov 13, 2018

-v?

@mschop

This comment has been minimized.

Copy link

mschop commented Nov 13, 2018

??

MyIgel added a commit to MyIgel/engelsystem that referenced this issue Nov 20, 2018

Require POST for sending forms
* Ensure that the form is submitted with a post request
* Replaced several links with forms

Closes engelsystem#494 (Security Vulnerability)

@MyIgel MyIgel added this to the 35c3 milestone Nov 20, 2018

@msquare msquare closed this in 944c29b Nov 21, 2018

msquare added a commit to MyIgel/engelsystem that referenced this issue Nov 24, 2018

Require POST for sending forms
* Ensure that the form is submitted with a post request
* Replaced several links with forms

Closes engelsystem#494 (Security Vulnerability)
@mschop

This comment has been minimized.

Copy link

mschop commented Dec 22, 2018

@msquare is the fix already released?

@msquare

This comment has been minimized.

Copy link
Member

msquare commented Dec 22, 2018

Since the installation is still mostly done by cloning the repository, this may be seen as released, i guess.

@mschop

This comment has been minimized.

Copy link

mschop commented Dec 22, 2018

@msquare Ok. Thanks. Then I publish the details right now for the CVE.

Those are the details regarding the security vulnerability:

There was no CSRF protection mechnism in engelsystem. This allowed attackers, to slip an user a spoofed request.

@msquare

This comment has been minimized.

Copy link
Member

msquare commented Dec 22, 2018

Yes, ok. Thank you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment