Skip to content

Security vulnerabilities announced #300

Closed
fgeek opened this Issue Dec 24, 2013 · 12 comments

5 participants

@fgeek
fgeek commented Dec 24, 2013

For details please see: http://seclists.org/fulldisclosure/2013/Dec/199

Are these issues already fixed in some version? If not, do you have a plan already?
Are these issues tracked in some issue tracker?
Have you requested CVE identifiers for these security updates?

@jenrzzz
jenrzzz commented Dec 24, 2013

+1

@steveyken
Fat Free CRM member

This is the first communication I've received regarding the issue. Will look into this immediately.

@mattgow
Fat Free CRM member
mattgow commented Dec 27, 2013

Henri, you are a gentleman for posting a ticket here where anyone active on the project see it. Thank you!

In answer to your questions (as far as I know):

  • The issues are not yet fixed. Steve is working on a plan (but he has limited time/resources so hopefully some other people will be heroes and start helping too)
  • It would make sense to track things here on github. Perhaps you could make individual tickets for them Henri?
  • I'm not well versed in the CVE process and I'm pretty sure that no-one is responsible for requesting them at this stage. Perhaps everyone assumed FFCRM wasn't a sufficiently "significant" project to do that. What would you advise? Would you consider being a contributor to this project as a security officer?
@steveyken
Fat Free CRM member

The disclosed issues have now been fixed. I've written a wiki page to provide more details - https://github.com/fatfreecrm/fat_free_crm/wiki/Fixing-security-vulnerabilities-(27th-Dec-2013) and announced on the Fat Free CRM Users list

@fgeek
fgeek commented Dec 27, 2013

I can request CVE identifiers for these issues. Thank you for reacting quickly.

@fgeek
fgeek commented Dec 28, 2013

CVEs have been assigned. Few comments from Mitre too. Could you please answer.

CVE-2013-7222: Known Session Secret
CVE-2013-7223: Lack of CSRF Protection
CVE-2013-7224: Default to_json for models
CVE-2013-7225: Multiple SQL Injections

Comments below:

For item 3: if there is an information-disclosure vulnerability
involving to_xml, please let us know and we can assign an additional
CVE ID. The joernchen advisory mentioned only to_json, and therefore
to_xml has a different discoverer and may require a separate CVE ID.

If there is a denial of service issue involving :delete, please let us
know and we can assign an additional CVE ID. The joernchen advisory
mentioned only "renders JSON requests with a full JSON object," and
therefore :delete has a different discoverer and may require a
separate CVE ID.
@steveyken
Fat Free CRM member

Thanks, replied.

@steveyken
Fat Free CRM member

CVE-2013-7249 also assigned for the to_xml variant of CVE-2013-7224

@vsiegel
vsiegel commented Jan 3, 2014

Just to be sure, because I do not see it obviously covered:
Is the issue of exposing the list of all user names (or email addresses) handled?
As noted in a reply to the original report,
view the source of:
http://demo.fatfreecrm.com/login
showing a list of users.

@steveyken
Fat Free CRM member
@steveyken
Fat Free CRM member

In case you missed it, the 2nd security advisory has been released. I'm going to close this issue now.

https://github.com/fatfreecrm/fat_free_crm/wiki/Fixing-security-vulnerabilities-%287th-jan-2014%29

@steveyken steveyken closed this Jan 8, 2014
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.