oss-sec mailing list archives
CVE Request - Coin Widget serves code over plain http.
From: Evan Teitelman <teitelmanevan () gmail com>
Date: Fri, 26 Jul 2013 21:19:33 -0400
Coin Widget is a Bitcoin and Lightcoin donation widget. Its code is normally downloaded from http://coinwidget.com/widget/coin.js in the following manner. <script src="http://coinwidget.com/widget/coin.js";></script> <script> CoinWidgetCom.go({ wallet_address: "31uEbMgunupShBVTewXjtqbBv5MndwfXhb" , currency: "bitcoin" , counter: "count" , alignment: "bl" , qrcode: true , auto_show: false , lbl_button: "Donate" , lbl_address: "My Bitcoin Address:" , lbl_count: "donations" , lbl_amount: "BTC" }); </script> Without SSL or similar protection, it is possible for the code to be modified in transit. A malicious individual could modify the code to replace a legitimate wallet address with his or her own. I believe this vulnerability is an example of CWE-300. Does it need a CVE identifier? I have copied the creator of Coin Widget on this email. Thank you for your time, Evan Teitelman.
Current thread:
- CVE Request - Coin Widget serves code over plain http. Evan Teitelman (Jul 27)
- Re: CVE Request - Coin Widget serves code over plain http. Kurt Seifried (Jul 27)
- RE: CVE Request - Coin Widget serves code over plain http. Christey, Steven M. (Jul 28)
- Re: CVE Request - Coin Widget serves code over plain http. Kurt Seifried (Jul 29)
- RE: CVE Request - Coin Widget serves code over plain http. Christey, Steven M. (Jul 28)
- Re: CVE Request - Coin Widget serves code over plain http. Kurt Seifried (Jul 27)