oss-sec mailing list archives
CVE request - TelescopeJS Information Leakage: User BCrypt password hash post-authentication
From: Shubham Shah <admin () shubh am>
Date: Sun, 26 Apr 2015 16:56:48 +1000
Hi, TelescopeJS leaks the users BCrypt password hash in incoming websocket messages once the user has authenticated. Due to the fact that TelescopeJS is an expressjs web application, it uses the model of storing session information in the browsers localStorage. This means that if an attacker is able to find a single cross-site scripting flaw in MeteorJS, they would then be able to extract the users password hash from incoming websocket messages. This hash could then be cracked. The bcrypt hash is sent in incoming websocket messages every time the user object is needed by the application. This vulnerability affects TelescopeJS installations below version 0.15. A discussion about these issues can be found here: https://github.com/TelescopeJS/Telescope/issues/838 The commits leading to the fix for this flaw can be found here: https://github.com/TelescopeJS/Telescope/blob/dd6130637c00a8166cc4647153b441cb32b7ca61/lib/publications.js#L29-L31 If any more details are required, please let me know. Thank you, Shubham
Current thread:
- CVE request - TelescopeJS Information Leakage: User BCrypt password hash post-authentication Shubham Shah (Apr 25)