From 706ba6c6f22e7744d37721dbccfbd33c2c6796e8 Mon Sep 17 00:00:00 2001 From: Ernest W Durbin III Date: Mon, 24 Feb 2020 14:07:52 -0500 Subject: [PATCH] document CSRF vulnerability on PyPI upload endpoint --- packages.rst | 1 + .../index-2020-02-22-upload_endpoint_csrf.rst | 60 +++++++++++++++++++ 2 files changed, 61 insertions(+) create mode 100644 pypi-vuln/index-2020-02-22-upload_endpoint_csrf.rst diff --git a/packages.rst b/packages.rst index 00c6e51..76dbf8e 100644 --- a/packages.rst +++ b/packages.rst @@ -44,6 +44,7 @@ Vulnerabilites in the Package Index pypi-vuln/index-2017-10-12-unchecked_file_deletion.rst pypi-vuln/index-2017-11-08-pypirc_exposure_on_github.rst pypi-vuln/index-2020-01-05-authentication_method_flaws.rst + pypi-vuln/index-2020-02-22-upload_endpoint_csrf.rst diff --git a/pypi-vuln/index-2020-02-22-upload_endpoint_csrf.rst b/pypi-vuln/index-2020-02-22-upload_endpoint_csrf.rst new file mode 100644 index 0000000..52f6093 --- /dev/null +++ b/pypi-vuln/index-2020-02-22-upload_endpoint_csrf.rst @@ -0,0 +1,60 @@ +================================== +Upload endpoint CSRF vulnerability +================================== + +Summary +======= + +A `Cross Site Request Forgery `_ +vulnerability was discovered in the endpoint which accepts uploads to PyPI. + +* Disclosure date: **2020-02-22** (Reported via security policy on `pypi.org `_) +* Disclosed by: Joachim Jablon + +Reported vulnerability +====================== + +Upload endpoint vulnerable to CSRF +---------------------------------- + +Although PyPI implements CSRF protection for endpoints with side effects +throughout the views and endpoints for the primary web user interface, that +protection is not implemented for the upload endpoint at +https://upload.pypi.org/legacy/. This endpoint is not intended for browsers, +but rather clients such as `setuptools `_ +and `twine `_ which do not authenticate using +HTTP Sessions or Cookies. + +The upload endpoint was misconfigured to accept HTTP Session authentication +cookies from pypi.org. Combined with intentional disabling of CSRF protection +on this endpoint, an attacker could have constructed a form to trick PyPI users +into uploading releases to PyPI. + +Initially resolved in: https://github.com/pypa/warehouse/pull/7432 + +Assessment +========== + +We are unable to directly determine if this vulnerabilities was +exploited. PyPI stores an Audit Log of events modifying user accounts and +projects on the service. These log successful logins via the login form but +were not configured to log authentication via other methods as they were +assumed to be associated with package uploads only, which are logged +separately. + +Reccomendations +=============== + +Users are encouraged to review their `Account Security History `_ +regularly to determine if any suspicious activity has taken place. If you +identify any such activity, please report it per `our published security policy `_. + +Timeline +======== + +* 2020-02-22 Issue reported by Joachim Jablon to security@python.org per PyPI + security policy on `pypi.org `_ +* 2020-02-23 (**+1days**): Report investigated by Ernest W. Durbin III and + determined to be valid. +* 2020-02-24 (**+2days**): Fixes reviewd by PyPI administrators, deployed, and + verified.