Bug#695348: collabtive: XSS and CSRF issues
On Fri, Dec 07, 2012 at 01:59:50PM +0100, Thijs Kinkhorst wrote: > Package: collabtive > Severity: important > Tags: security > > Hi, > > Two CVE's were assigned recently for 'ancient' Collabtive security issues: > > CVE-2010-5284 > http://www.exploit-db.com/exploits/15240 > > CVE-2010-5285 > http://www.exploit-db.com/exploits/15240 > > Can you please check and verify that these old issues have been fixed in > the mean time? Gunnar, did you in touch with upstream? Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#695348: collabtive: XSS and CSRF issues
Package: collabtive Severity: important Tags: security Hi, Two CVE's were assigned recently for 'ancient' Collabtive security issues: CVE-2010-5284 http://www.exploit-db.com/exploits/15240 CVE-2010-5285 http://www.exploit-db.com/exploits/15240 Can you please check and verify that these old issues have been fixed in the mean time? thanks, Thijs -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#695348: collabtive: XSS and CSRF issues
On Tue, Dec 09, 2014 at 08:56:21PM -0600, Gunnar Wolf wrote: > Moritz Mühlenhoff dijo [Tue, Dec 09, 2014 at 10:17:14PM +0100]: > > > > I'm getting in touch with the authors right now. Thanks! > > > > > > http://collabtive.o-dyn.de/forum/viewtopic.php?f=11&t=8479 > > > > Gunnar, > > is this fixed in the version in jessie? > > Sorry for the delay for this reply! > > I can confirm you that, from the three attacks mentioned in > exploit-db¹, attacks 1 and 3 do not work. As for attack 2 (the CSRF), > the description just reads: > > Technically, attacker can create a specially crafted page and > force collabtive administrators to visit it and can gain > administrative privilege. For prevention from CSRF > vulnerabilities, application needs anti-csrf token, captcha and > asking old password for critical actions. > > The refered site for the POC exploit² no longer exists, so I cannot > confirm whether it has been fixed or not. I can see from the forum > post you linked to that the author does not believe it to be a > realistic, important enough issue to worry about. I've updated the security tracker, I suggest we go ahead and close this bug, no need to keep this open. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#695348: collabtive: XSS and CSRF issues
Moritz Mühlenhoff dijo [Sun, Dec 30, 2012 at 02:23:51PM +0100]: > (...) > > Two CVE's were assigned recently for 'ancient' Collabtive security issues: > (...) > > Can you please check and verify that these old issues have been fixed in > > the mean time? > > Gunnar, did you in touch with upstream? Hi, Thijs and Moritz. Thanks for following up on this - I was on vacation, and this mail fell through the cracks for me. I'll get in touch with upstream right away. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#695348: collabtive: XSS and CSRF issues
> > Two CVE's were assigned recently for 'ancient' Collabtive security issues: > > > > CVE-2010-5284 > > http://www.exploit-db.com/exploits/15240 > > > > CVE-2010-5285 > > http://www.exploit-db.com/exploits/15240 FWIW the exploit-db webpage points at three different problems, two XSS and one CSRF. The XSS are not present in collabtive 0.7.6, but the CSRF is. I'm getting in touch with the authors right now. Thanks! -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#695348: collabtive: XSS and CSRF issues
> FWIW the exploit-db webpage points at three different problems, two > XSS and one CSRF. The XSS are not present in collabtive 0.7.6, but the > CSRF is. > > I'm getting in touch with the authors right now. Thanks! http://collabtive.o-dyn.de/forum/viewtopic.php?f=11&t=8479 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#695348: collabtive: XSS and CSRF issues
On Thu, Jan 10, 2013 at 04:47:35PM -0600, Gunnar Wolf wrote: > > FWIW the exploit-db webpage points at three different problems, two > > XSS and one CSRF. The XSS are not present in collabtive 0.7.6, but the > > CSRF is. > > > > I'm getting in touch with the authors right now. Thanks! > > http://collabtive.o-dyn.de/forum/viewtopic.php?f=11&t=8479 Gunnar, is this fixed in the version in jessie? Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#695348: collabtive: XSS and CSRF issues
Moritz Mühlenhoff dijo [Tue, Dec 09, 2014 at 10:17:14PM +0100]: > > > I'm getting in touch with the authors right now. Thanks! > > > > http://collabtive.o-dyn.de/forum/viewtopic.php?f=11&t=8479 > > Gunnar, > is this fixed in the version in jessie? Sorry for the delay for this reply! I can confirm you that, from the three attacks mentioned in exploit-db¹, attacks 1 and 3 do not work. As for attack 2 (the CSRF), the description just reads: Technically, attacker can create a specially crafted page and force collabtive administrators to visit it and can gain administrative privilege. For prevention from CSRF vulnerabilities, application needs anti-csrf token, captcha and asking old password for critical actions. The refered site for the POC exploit² no longer exists, so I cannot confirm whether it has been fixed or not. I can see from the forum post you linked to that the author does not believe it to be a realistic, important enough issue to worry about. ¹ http://www.exploit-db.com/exploits/15240/ ² http://www.anatoliasecurity.com/exploits/collabtive-csrf-xploit.txt signature.asc Description: Digital signature
