Re: CVE Request - Coin Widget serves code over plain http.

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/26/2013 07:19 PM, Evan Teitelman wrote:
> Coin Widget is a Bitcoin and Lightcoin donation widget. Its code
> is normally downloaded from http://coinwidget.com/widget/coin.js in
> the following manner.
>
> <script src="http://coinwidget.com/widget/coin.js";></script> 
> <script> CoinWidgetCom.go({ wallet_address:
> "31uEbMgunupShBVTewXjtqbBv5MndwfXhb" , currency: "bitcoin" ,
> counter: "count" , alignment: "bl" , qrcode: true , auto_show:
> false , lbl_button: "Donate" , lbl_address: "My Bitcoin Address:" ,
> lbl_count: "donations" , lbl_amount: "BTC" }); </script>
>
> Without SSL or similar protection, it is possible for the code to
> be modified in transit. A malicious individual could modify the
> code to replace a legitimate wallet address with his or her own.

I also tried "https://coinwidget.com/widget/coin.js"; and it failed
(you can telnet to the port, it's open, but I got an SSL error). If
you try
"https://www.ssllabs.com/ssltest/analyze.html?d=coinwidget.com+";
you'll see the same.

> I believe this vulnerability is an example of CWE-300. Does it need
> a CVE identifier?

The problem is not in the code, the problem is in how the code is
served/distributed. CVE is traditionally for software and not for
services. So under a simplistic reading of that strict definition I
would say this doesn't deserve a CVE.

However the world is changing, for example a program that included an
auto-updater component that was advertised as being "Secure" but went
over HTTP would probably qualify for a CVE.

Steve I'm bouncing this to you, I'm inclined to NOT assign a CVE since
it opens up a huge can of worms (every single bit of JavaScript served
from HTTP and not available via HTTPS ever), but I can also see how it
should maybe get a CVE.

The good news is that future versions of Firefox are implementing a
security policy that when loading a page from HTTPS they will not load
page components from HTTP, which would fix this issue. Hopefully all
the browsers do this.

> I have copied the creator of Coin Widget on this email.
>
> Thank you for your time, Evan Teitelman.


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJR9BrxAAoJEBYNRVNeJnmTzSUP/2cz0J2eI0lA9z3JWVl0VUy1
9xiS+SUxFTpmim+bAEg7glaJuMmYdXqXrSGgeujGNlS/Fwz4pkO/FcKbfg/SzxaE
pVjhMQSni6hMfsos18Zsh6V9FE7gyvsiFULFYD3MQErSsXwbXlNO7iQcaxPo1oFI
X7I6fibNNb1dlHIgUcZA2dfj3MUDl2l31TgmPyWyO2KRYadz7z0Yw6xNTV1CsbBT
Ppig53utesTkoiRd+Oym6u0HSjr5PN8SjFO7qSHV5h8Cdd0Q7+mHcBsg6C76Cixa
+eAuFpdC9CbyXgXtXuepbSCK9YlM6tyW3Acl1V16XM0pyI0GDGmdzfqsZHb3hwzg
hKxqNLrYf7PAgDkz8wPHdWn6M2ENnkNmHOKxlQiLWBAiP3Zjx7KoGphRfFxG0cox
FY2FeteiGRt1J7UfTApJkXlFgTcYfn1UtGFtqBeMj3JqSsCvBx9z5fJqCbDwTV2F
qwZkyURHdEYyOj4S35oQ/pgabV6XpmO9m/PMr43BnL6qStV+DJzXLedNIBVbV+XU
amPT15MOjWkwFVCU5oGakz0hIkMSDli6Z/tCOA2gXxZQ/kI606P6HymD9pGfw8nW
9bTQRTHdJfkDCOu65V3Tj8vUO2zQ+kD76iLKXIy8GkhPV2Uer7FHW22fB5uxgQit
fcouWuyRDV85m0MQNEYH
=S3oH
-----END PGP SIGNATURE-----