oss-sec mailing list archives
Re: CVE request: Pyplate multiple vulnerabilities
From: cve-assign () mitre org
Date: Fri, 23 May 2014 12:50:25 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
http://openwall.com/lists/oss-security/2014/05/14/3
Installation instruction tells user to execute following commands without checking any checksums or similar:wget http://pyplate.com/pyplate_install.sh chmod +x ./pyplate_install.sh sudo ./pyplate_install.sh
This type of issue is probably outside the scope of CVE. A set of installation commands only implies that an installation can be done that way, not that an installation should be done that way. There's no commonly recognized requirement for a vendor to try to document the types of pre-installation audits that might be important at customer sites. Of course, the issue is worth pointing out because the vendor may want to add functionality for download verification, etc.
File /usr/lib/cgi-bin/create_passwd_file.py creates passwd.db for admin user password with world readable permissions. -rw-r--r-- 1 www-data www-data 99 May 13 20:45 /usr/share/pyplate/passwd.db
Use CVE-2014-3851.
Application is not using HttpOnly ... flag in cookie "id".
Use CVE-2014-3852.
Application is not using ... Secure ... flag in cookie "id".
Use CVE-2014-3853.
CSRF + XSS with cookie stealing PoC: action="http://example.com/admin/addScript.py" method="POST" name="title" value="[XSS]"
Use CVE-2014-3854 for this CSRF vulnerability. The XSS could be independently relevant (with a separate CVE ID) if it can be used for privilege escalation by someone posting JavaScript intentionally using admin/addScript.py. We didn't immediately notice anything at http://www.pyplate.com/how-to/ suggesting that there would be multiple user accounts, with different privilege levels, who have legitimate access to admin/addScript.py.
payload = {'filename': '../../../../etc/passwd'} r = requests.post('http://example.org/cgi-bin/download.py', data=payload)
Use CVE-2014-3855. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJTf3vXAAoJEKllVAevmvmsfNoH/iI0z8SsyhS+B7MVJe/RcWfX ekl0O8ZGMjvM597PkI+j2sPfvyx9wpGkX3m6aZmPzSnobIaz+Wcq4QmeJ4sRT89i /mjhFa/xChz3N89NO9RVoGXKYgy9eJdiAi+7XF+eNm3W0EcOeovxjSemvugDqHVo d85JqKrWmFMqii/ZR+93DhGZCrKq8V/nqKf9Sd+4tSWXyNjVMV5Yp+wksP1E2f/d Mo+q2MuYeQVPu7RFWdhHVRLZV8Exj4mFA7+llz6gl6cDpHlj3wYDXrFtxLIFSeWf fH9Vi8P02HwkLFGcjEV22v3zXXSl7ZmsNLh2rhwztRhfnSYiEjHTgr9qeVtgQS0= =eX44 -----END PGP SIGNATURE-----
Current thread:
- CVE request: Pyplate multiple vulnerabilities Henri Salo (May 14)
- Re: CVE request: Pyplate multiple vulnerabilities cve-assign (May 23)