collabtive: XSS and CSRF issues

Debian Bug report logs - #695348
collabtive: XSS and CSRF issues

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: "Thijs Kinkhorst" <thijs@debian.org>

To: submit@bugs.debian.org

Subject: collabtive: XSS and CSRF issues

Date: Fri, 7 Dec 2012 13:59:50 +0100

Package: collabtive
Severity: important
Tags: security

Hi,

Two CVE's were assigned recently for 'ancient' Collabtive security issues:

CVE-2010-5284
http://www.exploit-db.com/exploits/15240

CVE-2010-5285
http://www.exploit-db.com/exploits/15240

Can you please check and verify that these old issues have been fixed in
the mean time?


thanks,
Thijs

Message #10 received at 695348@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: 695348@bugs.debian.org

Subject: Re: collabtive: XSS and CSRF issues

Date: Sun, 30 Dec 2012 14:23:51 +0100

On Fri, Dec 07, 2012 at 01:59:50PM +0100, Thijs Kinkhorst wrote:
> Package: collabtive
> Severity: important
> Tags: security
> 
> Hi,
> 
> Two CVE's were assigned recently for 'ancient' Collabtive security issues:
> 
> CVE-2010-5284
> http://www.exploit-db.com/exploits/15240
> 
> CVE-2010-5285
> http://www.exploit-db.com/exploits/15240
> 
> Can you please check and verify that these old issues have been fixed in
> the mean time?

Gunnar, did you in touch with upstream?

Cheers,
        Moritz

Message #15 received at 695348@bugs.debian.org (full text, mbox, reply):

From: Gunnar Wolf <gwolf@gwolf.org>

To: Moritz Mühlenhoff <jmm@inutil.org>, 695348@bugs.debian.org

Subject: Re: Bug#695348: collabtive: XSS and CSRF issues

Date: Thu, 10 Jan 2013 16:18:51 -0600

Moritz Mühlenhoff dijo [Sun, Dec 30, 2012 at 02:23:51PM +0100]:
> (...)
> > Two CVE's were assigned recently for 'ancient' Collabtive security issues:
> (...)
> > Can you please check and verify that these old issues have been fixed in
> > the mean time?
> 
> Gunnar, did you in touch with upstream?

Hi, Thijs and Moritz. Thanks for following up on this - I was on
vacation, and this mail fell through the cracks for me. I'll get in
touch with upstream right away.

Message #20 received at 695348@bugs.debian.org (full text, mbox, reply):

From: Gunnar Wolf <gwolf@gwolf.org>

To: Moritz Mühlenhoff <jmm@inutil.org>, 695348@bugs.debian.org

Subject: Re: Bug#695348: collabtive: XSS and CSRF issues

Date: Thu, 10 Jan 2013 16:32:09 -0600

> > Two CVE's were assigned recently for 'ancient' Collabtive security issues:
> > 
> > CVE-2010-5284
> > http://www.exploit-db.com/exploits/15240
> > 
> > CVE-2010-5285
> > http://www.exploit-db.com/exploits/15240

FWIW the exploit-db webpage points at three different problems, two
XSS and one CSRF. The XSS are not present in collabtive 0.7.6, but the
CSRF is.

I'm getting in touch with the authors right now. Thanks!

Message #25 received at 695348@bugs.debian.org (full text, mbox, reply):

From: Gunnar Wolf <gwolf@gwolf.org>

To: Moritz Mühlenhoff <jmm@inutil.org>, 695348@bugs.debian.org

Subject: Re: Bug#695348: collabtive: XSS and CSRF issues

Date: Thu, 10 Jan 2013 16:47:35 -0600

> FWIW the exploit-db webpage points at three different problems, two
> XSS and one CSRF. The XSS are not present in collabtive 0.7.6, but the
> CSRF is.
> 
> I'm getting in touch with the authors right now. Thanks!

http://collabtive.o-dyn.de/forum/viewtopic.php?f=11&t=8479

Message #30 received at 695348@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: Gunnar Wolf <gwolf@gwolf.org>

Cc: 695348@bugs.debian.org

Subject: Re: Bug#695348: collabtive: XSS and CSRF issues

Date: Tue, 9 Dec 2014 22:17:14 +0100

On Thu, Jan 10, 2013 at 04:47:35PM -0600, Gunnar Wolf wrote:
> > FWIW the exploit-db webpage points at three different problems, two
> > XSS and one CSRF. The XSS are not present in collabtive 0.7.6, but the
> > CSRF is.
> > 
> > I'm getting in touch with the authors right now. Thanks!
> 
> http://collabtive.o-dyn.de/forum/viewtopic.php?f=11&t=8479

Gunnar,
is this fixed in the version in jessie?

Cheers,
        Moritz

Message #35 received at 695348@bugs.debian.org (full text, mbox, reply):

From: Gunnar Wolf <gwolf@gwolf.org>

To: Moritz Mühlenhoff <jmm@inutil.org>, 695348@bugs.debian.org

Subject: Re: Bug#695348: collabtive: XSS and CSRF issues

Date: Tue, 9 Dec 2014 20:56:21 -0600

[Message part 1 (text/plain, inline)]

Moritz Mühlenhoff dijo [Tue, Dec 09, 2014 at 10:17:14PM +0100]:
> > > I'm getting in touch with the authors right now. Thanks!
> > 
> > http://collabtive.o-dyn.de/forum/viewtopic.php?f=11&t=8479
> 
> Gunnar,
> is this fixed in the version in jessie?

Sorry for the delay for this reply!

I can confirm you that, from the three attacks mentioned in
exploit-db¹, attacks 1 and 3 do not work. As for attack 2 (the CSRF),
the description just reads:

    Technically, attacker can create a specially crafted page and
    force collabtive administrators to visit it and can gain
    administrative privilege. For prevention from CSRF
    vulnerabilities, application needs anti-csrf token, captcha and
    asking old password for critical actions.

The refered site for the POC exploit² no longer exists, so I cannot
confirm whether it has been fixed or not. I can see from the forum
post you linked to that the author does not believe it to be a
realistic, important enough issue to worry about.

¹ http://www.exploit-db.com/exploits/15240/
² http://www.anatoliasecurity.com/exploits/collabtive-csrf-xploit.txt

[signature.asc (application/pgp-signature, inline)]

Message #40 received at 695348@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: Gunnar Wolf <gwolf@gwolf.org>

Cc: 695348@bugs.debian.org

Subject: Re: Bug#695348: collabtive: XSS and CSRF issues

Date: Mon, 29 Dec 2014 01:29:10 +0100

On Tue, Dec 09, 2014 at 08:56:21PM -0600, Gunnar Wolf wrote:
> Moritz Mühlenhoff dijo [Tue, Dec 09, 2014 at 10:17:14PM +0100]:
> > > > I'm getting in touch with the authors right now. Thanks!
> > > 
> > > http://collabtive.o-dyn.de/forum/viewtopic.php?f=11&t=8479
> > 
> > Gunnar,
> > is this fixed in the version in jessie?
> 
> Sorry for the delay for this reply!
> 
> I can confirm you that, from the three attacks mentioned in
> exploit-db¹, attacks 1 and 3 do not work. As for attack 2 (the CSRF),
> the description just reads:
> 
>     Technically, attacker can create a specially crafted page and
>     force collabtive administrators to visit it and can gain
>     administrative privilege. For prevention from CSRF
>     vulnerabilities, application needs anti-csrf token, captcha and
>     asking old password for critical actions.
> 
> The refered site for the POC exploit² no longer exists, so I cannot
> confirm whether it has been fixed or not. I can see from the forum
> post you linked to that the author does not believe it to be a
> realistic, important enough issue to worry about.

I've updated the security tracker, I suggest we go ahead and close this
bug, no need to keep this open.

Cheers,
        Moritz

Message #45 received at 695348-done@bugs.debian.org (full text, mbox, reply):

From: Gunnar Wolf <gwolf@gwolf.org>

To: 695348-done@bugs.debian.org

Subject: Re: Bug#695348: collabtive: XSS and CSRF issues

Date: Thu, 22 Oct 2015 10:51:29 -0500

Version: 2.0+dfsg-5

We agreed to close this bug almost a year ago, but no action was
taken then.

Message #50 received at 695348@bugs.debian.org (full text, mbox, reply):

From: Henri Salo <henri@nerv.fi>

To: 695348@bugs.debian.org

Subject: info

Date: Thu, 22 Oct 2015 19:13:44 +0300

This was fixed in 0.7.6-1 already, which was tested. Possibly even earlier.

-- 
Henri Salo

Send a report that this bug log contains spam.