oss-sec mailing list archives
Re: Re: MantisBT weakened CSP when using bundled Gravatar plugin
From: Reed Loden <reed () reedloden com>
Date: Mon, 29 Aug 2016 16:31:50 -0700
Any reason why you don't just always use the https:// version for Gravatar here? Why ever use http://? Even if the MantisBT install is on HTTP, best to always load any third-party resources over TLS to better protect against MITM. Just surprised me to see this: https://github.com/mantisbt/mantisbt/blob/b3511d2feb47eaee41feb5f69cf3c8a2c9acd229/plugins/Gravatar/Gravatar.php#L165-L169 ~reed On Mon, Aug 29, 2016 at 2:51 PM, <cve-assign () mitre org> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256MantisBT 1.3.0-rc.2 introduced a new bundled plugin to handle display of users' avatars using Gravatar. Instead of adding the Gravatar web site to the list of allowed image sources in MantisBT's Content Security Policy, the plugin was replacing the whole policy by: img-src 'self' http://www.gravatar.com/ instead of the more strict default one of: default-src 'self'; frame-ancestors 'none'; style-src 'self'; script-src 'self' Relaxed policy allows execution of remote and inline scripts, e.g. potentially enabling XSS attacks. https://github.com/mantisbt/mantisbt/commit/b3511d2feb47eaee41feb5f69cf3c8a2c9acd229https://mantisbt.org/bugs/view.php?id=21263Use CVE-2016-7111. - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJXxK4MAAoJEHb/MwWLVhi2p3EQAKULs3JDc49mBXeyVZ24IUoE 6iWcUGjwiE5cHXnAxcNKZZp7/xsFo9tgdLbLZ37x48kU1cwp/B/rnQQCWJHfUJxJ gR0qIutmEWCAq3nIVC0IR+tBm//0iiJuTuRhH/NjE9W4+EBPPjIHkkHxvnWLqyJo SWBP/JJDYbB8sQ366+WLrNHTdxK+keVcu406KrbagWhPaMG1C9QAkTeHRxovI/me JkbA3cVjfmO9BjHrAkbEYEJRU6Qxn8XsXUNW8bGoHBUt4WFON8BOGpt6Yyn1iDCs APOou4yZqMPM8jSnS8MOCM9POuuK8QNXMTLPgnMkxLcFntz79ogVmzJYfl6jyQ6V PW2dNtFU03QTI4nvL2UbVi1+oEbZycQbRnU0If7wHjedXIekFEX2uik0fAnJRwAk LDgT/+g6g02RJZPmteQFrT0ZtXav2rFiznHicL93mRLt1sOiE32ULJrQ8DLBP5SA EYitfKS09oBLDdSC5k+wogX22UgoFm4xZLrauVbRMKUApZNvKVSAADNewmRopXKR Fm2lDPJKmmb+oOWVBj7MDz7J9u1SvnyVieX+53E8Bt0tnr9KD5R61XNfjnKJtvZg +2l+S8HEUN3FdDz2WINbs9z1Sd5Fok9jc+TQXeIXR07jPC+MKE26zywhIiMYIfl/ 2Rs4hh+EhmuT20OUq14x =U1Gg -----END PGP SIGNATURE-----
Current thread:
- MantisBT weakened CSP when using bundled Gravatar plugin Damien Regad (Aug 27)
- Re: MantisBT weakened CSP when using bundled Gravatar plugin cve-assign (Aug 29)
- Re: Re: MantisBT weakened CSP when using bundled Gravatar plugin Reed Loden (Aug 29)
- Re: MantisBT weakened CSP when using bundled Gravatar plugin Damien Regad (Aug 30)
- Re: Re: MantisBT weakened CSP when using bundled Gravatar plugin Reed Loden (Aug 29)
- Re: MantisBT weakened CSP when using bundled Gravatar plugin cve-assign (Aug 29)