Security vulnerabilities announced

[fgeek]

For details please see: http://seclists.org/fulldisclosure/2013/Dec/199

Are these issues already fixed in some version? If not, do you have a plan already?
Are these issues tracked in some issue tracker?
Have you requested CVE identifiers for these security updates?

[jenrzzz]

+1

[steveyken]

This is the first communication I've received regarding the issue. Will look into this immediately.

[mattgow]

Henri, you are a gentleman for posting a ticket here where anyone active on the project see it. Thank you!

In answer to your questions (as far as I know):

• The issues are not yet fixed. Steve is working on a plan (but he has limited time/resources so hopefully some other people will be heroes and start helping too)
• It would make sense to track things here on github. Perhaps you could make individual tickets for them Henri?
• I'm not well versed in the CVE process and I'm pretty sure that no-one is responsible for requesting them at this stage. Perhaps everyone assumed FFCRM wasn't a sufficiently "significant" project to do that. What would you advise? Would you consider being a contributor to this project as a security officer?

[steveyken]

The disclosed issues have now been fixed. I've written a wiki page to provide more details - https://github.com/fatfreecrm/fat_free_crm/wiki/Fixing-security-vulnerabilities-(27th-Dec-2013) and announced on the Fat Free CRM Users list

[fgeek]

I can request CVE identifiers for these issues. Thank you for reacting quickly.

[fgeek]

CVEs requested http://www.openwall.com/lists/oss-security/2013/12/28/1

[fgeek]

CVEs have been assigned. Few comments from Mitre too. Could you please answer.

CVE-2013-7222: Known Session Secret
CVE-2013-7223: Lack of CSRF Protection
CVE-2013-7224: Default to_json for models
CVE-2013-7225: Multiple SQL Injections

Comments below:

For item 3: if there is an information-disclosure vulnerability
involving to_xml, please let us know and we can assign an additional
CVE ID. The joernchen advisory mentioned only to_json, and therefore
to_xml has a different discoverer and may require a separate CVE ID.

If there is a denial of service issue involving :delete, please let us
know and we can assign an additional CVE ID. The joernchen advisory
mentioned only "renders JSON requests with a full JSON object," and
therefore :delete has a different discoverer and may require a
separate CVE ID.

[steveyken]

Thanks, replied.

[steveyken]

CVE-2013-7249 also assigned for the to_xml variant of CVE-2013-7224

[vsiegel]

Just to be sure, because I do not see it obviously covered:
Is the issue of exposing the list of all user names (or email addresses) handled?
As noted in a reply to the original report,
view the source of:
http://demo.fatfreecrm.com/login
showing a list of users.

[steveyken]

Yup, this isn't covered by the CVE directly as it wasn't mentioned in the
advisory, but rather as a comment later on.

However, it's definitely being addressed as part of a wider audit. This
week I've been going through the entire codebase to hunt for
vulnerabilities. The comment about 404 messages divulging sever paths was
also noted and addressed (see comment re passwords controller).

We'll have another code update in a few days and documentation to help
people upgrade.

Regards,
Steve

On Sat, Jan 4, 2014 at 12:09 AM, vsiegel notifications@github.com wrote:

Just to be sure, because I do not see it obviously covered:
Is the issue of exposing the list of all user names (or email addresses)
handled?
As noted in a reply to the original report,
view the source of:
http://demo.fatfreecrm.com/login
showing a list of users.

—
Reply to this email directly or view it on GitHubhttps://github.com//issues/300#issuecomment-31532124
.

[steveyken]

In case you missed it, the 2nd security advisory has been released. I'm going to close this issue now.

https://github.com/fatfreecrm/fat_free_crm/wiki/Fixing-security-vulnerabilities-%287th-jan-2014%29