oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Re: MantisBT weakened CSP when using bundled Gravatar plugin

From: Reed Loden <reed () reedloden com>
Date: Mon, 29 Aug 2016 16:31:50 -0700
Any reason why you don't just always use the https:// version for Gravatar
here? Why ever use http://? Even if the MantisBT install is on HTTP, best
to always load any third-party resources over TLS to better protect against
MITM.

Just surprised me to see this:
https://github.com/mantisbt/mantisbt/blob/b3511d2feb47eaee41feb5f69cf3c8a2c9acd229/plugins/Gravatar/Gravatar.php#L165-L169

~reed

On Mon, Aug 29, 2016 at 2:51 PM, <cve-assign () mitre org> wrote:


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


MantisBT 1.3.0-rc.2 introduced a new bundled plugin to handle display of
users' avatars using Gravatar.

Instead of adding the Gravatar web site to the list of allowed image
sources in MantisBT's Content Security Policy, the plugin was replacing
the whole policy by:

   img-src 'self' http://www.gravatar.com/

instead of the more strict default one of:

   default-src 'self'; frame-ancestors 'none'; style-src 'self';
   script-src 'self'

Relaxed policy allows execution of remote and inline scripts, e.g.
potentially enabling XSS attacks.

https://github.com/mantisbt/mantisbt/commit/

b3511d2feb47eaee41feb5f69cf3c8a2c9acd229

https://mantisbt.org/bugs/view.php?id=21263


Use CVE-2016-7111.

- --
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXxK4MAAoJEHb/MwWLVhi2p3EQAKULs3JDc49mBXeyVZ24IUoE
6iWcUGjwiE5cHXnAxcNKZZp7/xsFo9tgdLbLZ37x48kU1cwp/B/rnQQCWJHfUJxJ
gR0qIutmEWCAq3nIVC0IR+tBm//0iiJuTuRhH/NjE9W4+EBPPjIHkkHxvnWLqyJo
SWBP/JJDYbB8sQ366+WLrNHTdxK+keVcu406KrbagWhPaMG1C9QAkTeHRxovI/me
JkbA3cVjfmO9BjHrAkbEYEJRU6Qxn8XsXUNW8bGoHBUt4WFON8BOGpt6Yyn1iDCs
APOou4yZqMPM8jSnS8MOCM9POuuK8QNXMTLPgnMkxLcFntz79ogVmzJYfl6jyQ6V
PW2dNtFU03QTI4nvL2UbVi1+oEbZycQbRnU0If7wHjedXIekFEX2uik0fAnJRwAk
LDgT/+g6g02RJZPmteQFrT0ZtXav2rFiznHicL93mRLt1sOiE32ULJrQ8DLBP5SA
EYitfKS09oBLDdSC5k+wogX22UgoFm4xZLrauVbRMKUApZNvKVSAADNewmRopXKR
Fm2lDPJKmmb+oOWVBj7MDz7J9u1SvnyVieX+53E8Bt0tnr9KD5R61XNfjnKJtvZg
+2l+S8HEUN3FdDz2WINbs9z1Sd5Fok9jc+TQXeIXR07jPC+MKE26zywhIiMYIfl/
2Rs4hh+EhmuT20OUq14x
=U1Gg
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: