[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Re: CVE request: Pyplate multiple vulnerabilities
From:       cve-assign () mitre ! org
Date:       2014-05-23 16:50:25
Message-ID: 201405231650.s4NGoP81025239 () linus ! mitre ! org
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> http://openwall.com/lists/oss-security/2014/05/14/3


> Installation instruction tells user to execute following commands without
> checking any checksums or similar:
> 
>> wget http://pyplate.com/pyplate_install.sh
>> chmod +x ./pyplate_install.sh
>> sudo ./pyplate_install.sh

This type of issue is probably outside the scope of CVE. A set of
installation commands only implies that an installation can be done
that way, not that an installation should be done that way. There's no
commonly recognized requirement for a vendor to try to document the
types of pre-installation audits that might be important at customer
sites. Of course, the issue is worth pointing out because the vendor
may want to add functionality for download verification, etc.


> File /usr/lib/cgi-bin/create_passwd_file.py creates passwd.db for admin user
> password with world readable permissions.
> -rw-r--r-- 1 www-data www-data 99 May 13 20:45 /usr/share/pyplate/passwd.db

Use CVE-2014-3851.


> Application is not using HttpOnly ... flag in cookie "id".

Use CVE-2014-3852.


> Application is not using ... Secure ... flag in cookie "id".

Use CVE-2014-3853.


> CSRF + XSS with cookie stealing PoC:
> action="http://example.com/admin/addScript.py" method="POST"
> name="title" value="[XSS]"

Use CVE-2014-3854 for this CSRF vulnerability. The XSS could be
independently relevant (with a separate CVE ID) if it can be used for
privilege escalation by someone posting JavaScript intentionally using
admin/addScript.py. We didn't immediately notice anything at
http://www.pyplate.com/how-to/ suggesting that there would be multiple
user accounts, with different privilege levels, who have legitimate
access to admin/addScript.py.


> payload = {'filename': '../../../../etc/passwd'}
> r = requests.post('http://example.org/cgi-bin/download.py',
> data=payload)

Use CVE-2014-3855.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJTf3vXAAoJEKllVAevmvmsfNoH/iI0z8SsyhS+B7MVJe/RcWfX
ekl0O8ZGMjvM597PkI+j2sPfvyx9wpGkX3m6aZmPzSnobIaz+Wcq4QmeJ4sRT89i
/mjhFa/xChz3N89NO9RVoGXKYgy9eJdiAi+7XF+eNm3W0EcOeovxjSemvugDqHVo
d85JqKrWmFMqii/ZR+93DhGZCrKq8V/nqKf9Sd+4tSWXyNjVMV5Yp+wksP1E2f/d
Mo+q2MuYeQVPu7RFWdhHVRLZV8Exj4mFA7+llz6gl6cDpHlj3wYDXrFtxLIFSeWf
fH9Vi8P02HwkLFGcjEV22v3zXXSl7ZmsNLh2rhwztRhfnSYiEjHTgr9qeVtgQS0=
=eX44
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]