oss-sec mailing list archives
Re: CVE Request - Coin Widget serves code over plain http.
From: Kurt Seifried <kseifried () redhat com>
Date: Sat, 27 Jul 2013 13:09:37 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07/26/2013 07:19 PM, Evan Teitelman wrote:
Coin Widget is a Bitcoin and Lightcoin donation widget. Its code is normally downloaded from http://coinwidget.com/widget/coin.js in the following manner. <script src="http://coinwidget.com/widget/coin.js"></script> <script> CoinWidgetCom.go({ wallet_address: "31uEbMgunupShBVTewXjtqbBv5MndwfXhb" , currency: "bitcoin" , counter: "count" , alignment: "bl" , qrcode: true , auto_show: false , lbl_button: "Donate" , lbl_address: "My Bitcoin Address:" , lbl_count: "donations" , lbl_amount: "BTC" }); </script> Without SSL or similar protection, it is possible for the code to be modified in transit. A malicious individual could modify the code to replace a legitimate wallet address with his or her own.
I also tried "https://coinwidget.com/widget/coin.js" and it failed (you can telnet to the port, it's open, but I got an SSL error). If you try "https://www.ssllabs.com/ssltest/analyze.html?d=coinwidget.com+" you'll see the same.
I believe this vulnerability is an example of CWE-300. Does it need a CVE identifier?
The problem is not in the code, the problem is in how the code is served/distributed. CVE is traditionally for software and not for services. So under a simplistic reading of that strict definition I would say this doesn't deserve a CVE. However the world is changing, for example a program that included an auto-updater component that was advertised as being "Secure" but went over HTTP would probably qualify for a CVE. Steve I'm bouncing this to you, I'm inclined to NOT assign a CVE since it opens up a huge can of worms (every single bit of JavaScript served from HTTP and not available via HTTPS ever), but I can also see how it should maybe get a CVE. The good news is that future versions of Firefox are implementing a security policy that when loading a page from HTTPS they will not load page components from HTTP, which would fix this issue. Hopefully all the browsers do this.
I have copied the creator of Coin Widget on this email. Thank you for your time, Evan Teitelman.
- -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJR9BrxAAoJEBYNRVNeJnmTzSUP/2cz0J2eI0lA9z3JWVl0VUy1 9xiS+SUxFTpmim+bAEg7glaJuMmYdXqXrSGgeujGNlS/Fwz4pkO/FcKbfg/SzxaE pVjhMQSni6hMfsos18Zsh6V9FE7gyvsiFULFYD3MQErSsXwbXlNO7iQcaxPo1oFI X7I6fibNNb1dlHIgUcZA2dfj3MUDl2l31TgmPyWyO2KRYadz7z0Yw6xNTV1CsbBT Ppig53utesTkoiRd+Oym6u0HSjr5PN8SjFO7qSHV5h8Cdd0Q7+mHcBsg6C76Cixa +eAuFpdC9CbyXgXtXuepbSCK9YlM6tyW3Acl1V16XM0pyI0GDGmdzfqsZHb3hwzg hKxqNLrYf7PAgDkz8wPHdWn6M2ENnkNmHOKxlQiLWBAiP3Zjx7KoGphRfFxG0cox FY2FeteiGRt1J7UfTApJkXlFgTcYfn1UtGFtqBeMj3JqSsCvBx9z5fJqCbDwTV2F qwZkyURHdEYyOj4S35oQ/pgabV6XpmO9m/PMr43BnL6qStV+DJzXLedNIBVbV+XU amPT15MOjWkwFVCU5oGakz0hIkMSDli6Z/tCOA2gXxZQ/kI606P6HymD9pGfw8nW 9bTQRTHdJfkDCOu65V3Tj8vUO2zQ+kD76iLKXIy8GkhPV2Uer7FHW22fB5uxgQit fcouWuyRDV85m0MQNEYH =S3oH -----END PGP SIGNATURE-----
Current thread:
- CVE Request - Coin Widget serves code over plain http. Evan Teitelman (Jul 27)
- Re: CVE Request - Coin Widget serves code over plain http. Kurt Seifried (Jul 27)
- RE: CVE Request - Coin Widget serves code over plain http. Christey, Steven M. (Jul 28)
- Re: CVE Request - Coin Widget serves code over plain http. Kurt Seifried (Jul 29)
- RE: CVE Request - Coin Widget serves code over plain http. Christey, Steven M. (Jul 28)
- Re: CVE Request - Coin Widget serves code over plain http. Kurt Seifried (Jul 27)