oss-sec mailing list archives
Re: MantisBT weakened CSP when using bundled Gravatar plugin
From: cve-assign () mitre org
Date: Mon, 29 Aug 2016 17:51:35 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
MantisBT 1.3.0-rc.2 introduced a new bundled plugin to handle display of users' avatars using Gravatar. Instead of adding the Gravatar web site to the list of allowed image sources in MantisBT's Content Security Policy, the plugin was replacing the whole policy by: img-src 'self' http://www.gravatar.com/ instead of the more strict default one of: default-src 'self'; frame-ancestors 'none'; style-src 'self'; script-src 'self' Relaxed policy allows execution of remote and inline scripts, e.g. potentially enabling XSS attacks. https://github.com/mantisbt/mantisbt/commit/b3511d2feb47eaee41feb5f69cf3c8a2c9acd229 https://mantisbt.org/bugs/view.php?id=21263
Use CVE-2016-7111. - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJXxK4MAAoJEHb/MwWLVhi2p3EQAKULs3JDc49mBXeyVZ24IUoE 6iWcUGjwiE5cHXnAxcNKZZp7/xsFo9tgdLbLZ37x48kU1cwp/B/rnQQCWJHfUJxJ gR0qIutmEWCAq3nIVC0IR+tBm//0iiJuTuRhH/NjE9W4+EBPPjIHkkHxvnWLqyJo SWBP/JJDYbB8sQ366+WLrNHTdxK+keVcu406KrbagWhPaMG1C9QAkTeHRxovI/me JkbA3cVjfmO9BjHrAkbEYEJRU6Qxn8XsXUNW8bGoHBUt4WFON8BOGpt6Yyn1iDCs APOou4yZqMPM8jSnS8MOCM9POuuK8QNXMTLPgnMkxLcFntz79ogVmzJYfl6jyQ6V PW2dNtFU03QTI4nvL2UbVi1+oEbZycQbRnU0If7wHjedXIekFEX2uik0fAnJRwAk LDgT/+g6g02RJZPmteQFrT0ZtXav2rFiznHicL93mRLt1sOiE32ULJrQ8DLBP5SA EYitfKS09oBLDdSC5k+wogX22UgoFm4xZLrauVbRMKUApZNvKVSAADNewmRopXKR Fm2lDPJKmmb+oOWVBj7MDz7J9u1SvnyVieX+53E8Bt0tnr9KD5R61XNfjnKJtvZg +2l+S8HEUN3FdDz2WINbs9z1Sd5Fok9jc+TQXeIXR07jPC+MKE26zywhIiMYIfl/ 2Rs4hh+EhmuT20OUq14x =U1Gg -----END PGP SIGNATURE-----
Current thread:
- MantisBT weakened CSP when using bundled Gravatar plugin Damien Regad (Aug 27)
- Re: MantisBT weakened CSP when using bundled Gravatar plugin cve-assign (Aug 29)
- Re: Re: MantisBT weakened CSP when using bundled Gravatar plugin Reed Loden (Aug 29)
- Re: MantisBT weakened CSP when using bundled Gravatar plugin Damien Regad (Aug 30)
- Re: Re: MantisBT weakened CSP when using bundled Gravatar plugin Reed Loden (Aug 29)
- Re: MantisBT weakened CSP when using bundled Gravatar plugin cve-assign (Aug 29)