Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[SECURITY] Discovered vulnerability #670

Closed
JavierOlmedo opened this issue Oct 30, 2018 · 13 comments
Closed

[SECURITY] Discovered vulnerability #670

JavierOlmedo opened this issue Oct 30, 2018 · 13 comments

Comments

@JavierOlmedo
Copy link

Hi,

Please, how can I report a vulnerability?

regards

@TimZ99
Copy link
Member

TimZ99 commented Oct 30, 2018

Please send me a private message. Email, Gitter, Telegram, whatever you prefer.

@JavierOlmedo
Copy link
Author

JavierOlmedo commented Oct 31, 2018

Ok, I send you a report by Telegram

@amcguirebootster
Copy link

@javier can you PM me the details? I am going to deploy some of this code base into my companies infrastructure and we need to maintain PCI

@JavierOlmedo
Copy link
Author

@amcguirebootster You can deploy the software in your company, if you want more details please contact
@TimZ99 he can tell you how to patch it temporarily until a new version.

@mooleshacat
Copy link

is fixed? this installed on my mining pool server :)

@amcguirebootster
Copy link

amcguirebootster commented Nov 15, 2018 via email

@JavierOlmedo
Copy link
Author

@amcguirebootster The vulnerability can not be published, an attacker could take advantage of it, wait for a new version or patch.

@mooleshacat
Copy link

mooleshacat commented Nov 21, 2018

@amcguirebootster If it were published it would be fixed by now and our servers would be secure... This is github. Post it so we can patch it ourselves, and make a PR

This is the most lengthy response to a security threat. It should have been patched by now if it is that big of a threat (or release a patch for us to use)

I am removing this from my server, I cannot risk my servers.

I will just hack my own shellscript to do this

Good day

@TimZ99
Copy link
Member

TimZ99 commented Nov 21, 2018

My sincere apologies to all of you waiting! I do realise that a patch must be released as soon as possible, I just haven't had the time. I will release the patch later this evening (CET).

@leshacat A vulnerability doesn't get disclosed before a patch is in place. Not disclosing it gives the maintainers the time to create the patch before bad people can exploit the vulnerability. I do need to say that this patch should have been there sooner. Sad to see you go.
(btw why liking your own post 🤭)

TimZ99 added a commit that referenced this issue Nov 22, 2018
View #670 for full vulnerability disclosure.
@TimZ99
Copy link
Member

TimZ99 commented Nov 22, 2018

Vulnerability disclosure:

Found by: @JavierOlmedo
Notice: October 30, 2018
Kind of vulnerability: CSRF

Vulnerability: An attacker could remove users, logs, and servers through a CSRF attack.
Protection against such an attack was already in place for all requests using the POST method. As the delete buttons use GET, they didn't fall under the CSRF protection.

Changes: When removing users, logs, and server, a CSFR-token will be sent with the URL. This token will be verified and the request will either pass or get denied.

The patch has been pushed as 3015071 to issue/670 based on v3.3.1 and released as v3.3.2.

@TimZ99 TimZ99 closed this as completed Nov 22, 2018
@TimZ99
Copy link
Member

TimZ99 commented Nov 22, 2018

If there are any questions, feel free to ask 👍.

@mooleshacat
Copy link

mooleshacat commented Nov 23, 2018

@TimZ99 you are awesome <3 pulling this now :D

@Rayne
Copy link

Rayne commented Nov 23, 2018

@TimZ99 The website is a little outdated. It displays 3.2.0 as latest version.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants