Debian Bug report logs -
#695348
collabtive: XSS and CSRF issues
Reported by: "Thijs Kinkhorst" <thijs@debian.org>
Date: Fri, 7 Dec 2012 13:03:01 UTC
Severity: important
Tags: security
Fixed in version 2.0+dfsg-5
Done: Gunnar Wolf <gwolf@gwolf.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Gunnar Wolf <gwolf@debian.org>
:
Bug#695348
; Package collabtive
.
(Fri, 07 Dec 2012 13:03:03 GMT) (full text, mbox, link).
Acknowledgement sent
to "Thijs Kinkhorst" <thijs@debian.org>
:
New Bug report received and forwarded. Copy sent to Gunnar Wolf <gwolf@debian.org>
.
(Fri, 07 Dec 2012 13:03:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: collabtive
Severity: important
Tags: security
Hi,
Two CVE's were assigned recently for 'ancient' Collabtive security issues:
CVE-2010-5284
http://www.exploit-db.com/exploits/15240
CVE-2010-5285
http://www.exploit-db.com/exploits/15240
Can you please check and verify that these old issues have been fixed in
the mean time?
thanks,
Thijs
Information forwarded
to debian-bugs-dist@lists.debian.org, Gunnar Wolf <gwolf@debian.org>
:
Bug#695348
; Package collabtive
.
(Sun, 30 Dec 2012 13:27:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Gunnar Wolf <gwolf@debian.org>
.
(Sun, 30 Dec 2012 13:27:05 GMT) (full text, mbox, link).
Message #10 received at 695348@bugs.debian.org (full text, mbox, reply):
On Fri, Dec 07, 2012 at 01:59:50PM +0100, Thijs Kinkhorst wrote:
> Package: collabtive
> Severity: important
> Tags: security
>
> Hi,
>
> Two CVE's were assigned recently for 'ancient' Collabtive security issues:
>
> CVE-2010-5284
> http://www.exploit-db.com/exploits/15240
>
> CVE-2010-5285
> http://www.exploit-db.com/exploits/15240
>
> Can you please check and verify that these old issues have been fixed in
> the mean time?
Gunnar, did you in touch with upstream?
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Gunnar Wolf <gwolf@debian.org>
:
Bug#695348
; Package collabtive
.
(Thu, 10 Jan 2013 22:24:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Gunnar Wolf <gwolf@gwolf.org>
:
Extra info received and forwarded to list. Copy sent to Gunnar Wolf <gwolf@debian.org>
.
(Thu, 10 Jan 2013 22:24:06 GMT) (full text, mbox, link).
Message #15 received at 695348@bugs.debian.org (full text, mbox, reply):
Moritz Mühlenhoff dijo [Sun, Dec 30, 2012 at 02:23:51PM +0100]:
> (...)
> > Two CVE's were assigned recently for 'ancient' Collabtive security issues:
> (...)
> > Can you please check and verify that these old issues have been fixed in
> > the mean time?
>
> Gunnar, did you in touch with upstream?
Hi, Thijs and Moritz. Thanks for following up on this - I was on
vacation, and this mail fell through the cracks for me. I'll get in
touch with upstream right away.
Information forwarded
to debian-bugs-dist@lists.debian.org, Gunnar Wolf <gwolf@debian.org>
:
Bug#695348
; Package collabtive
.
(Thu, 10 Jan 2013 22:39:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Gunnar Wolf <gwolf@gwolf.org>
:
Extra info received and forwarded to list. Copy sent to Gunnar Wolf <gwolf@debian.org>
.
(Thu, 10 Jan 2013 22:39:06 GMT) (full text, mbox, link).
Message #20 received at 695348@bugs.debian.org (full text, mbox, reply):
> > Two CVE's were assigned recently for 'ancient' Collabtive security issues:
> >
> > CVE-2010-5284
> > http://www.exploit-db.com/exploits/15240
> >
> > CVE-2010-5285
> > http://www.exploit-db.com/exploits/15240
FWIW the exploit-db webpage points at three different problems, two
XSS and one CSRF. The XSS are not present in collabtive 0.7.6, but the
CSRF is.
I'm getting in touch with the authors right now. Thanks!
Information forwarded
to debian-bugs-dist@lists.debian.org, Gunnar Wolf <gwolf@debian.org>
:
Bug#695348
; Package collabtive
.
(Thu, 10 Jan 2013 22:54:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Gunnar Wolf <gwolf@gwolf.org>
:
Extra info received and forwarded to list. Copy sent to Gunnar Wolf <gwolf@debian.org>
.
(Thu, 10 Jan 2013 22:54:03 GMT) (full text, mbox, link).
Message #25 received at 695348@bugs.debian.org (full text, mbox, reply):
> FWIW the exploit-db webpage points at three different problems, two
> XSS and one CSRF. The XSS are not present in collabtive 0.7.6, but the
> CSRF is.
>
> I'm getting in touch with the authors right now. Thanks!
http://collabtive.o-dyn.de/forum/viewtopic.php?f=11&t=8479
Information forwarded
to debian-bugs-dist@lists.debian.org, Gunnar Wolf <gwolf@debian.org>
:
Bug#695348
; Package collabtive
.
(Tue, 09 Dec 2014 21:21:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Gunnar Wolf <gwolf@debian.org>
.
(Tue, 09 Dec 2014 21:21:04 GMT) (full text, mbox, link).
Message #30 received at 695348@bugs.debian.org (full text, mbox, reply):
On Thu, Jan 10, 2013 at 04:47:35PM -0600, Gunnar Wolf wrote:
> > FWIW the exploit-db webpage points at three different problems, two
> > XSS and one CSRF. The XSS are not present in collabtive 0.7.6, but the
> > CSRF is.
> >
> > I'm getting in touch with the authors right now. Thanks!
>
> http://collabtive.o-dyn.de/forum/viewtopic.php?f=11&t=8479
Gunnar,
is this fixed in the version in jessie?
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Gunnar Wolf <gwolf@debian.org>
:
Bug#695348
; Package collabtive
.
(Wed, 10 Dec 2014 03:06:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Gunnar Wolf <gwolf@gwolf.org>
:
Extra info received and forwarded to list. Copy sent to Gunnar Wolf <gwolf@debian.org>
.
(Wed, 10 Dec 2014 03:06:04 GMT) (full text, mbox, link).
Message #35 received at 695348@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Moritz Mühlenhoff dijo [Tue, Dec 09, 2014 at 10:17:14PM +0100]:
> > > I'm getting in touch with the authors right now. Thanks!
> >
> > http://collabtive.o-dyn.de/forum/viewtopic.php?f=11&t=8479
>
> Gunnar,
> is this fixed in the version in jessie?
Sorry for the delay for this reply!
I can confirm you that, from the three attacks mentioned in
exploit-db¹, attacks 1 and 3 do not work. As for attack 2 (the CSRF),
the description just reads:
Technically, attacker can create a specially crafted page and
force collabtive administrators to visit it and can gain
administrative privilege. For prevention from CSRF
vulnerabilities, application needs anti-csrf token, captcha and
asking old password for critical actions.
The refered site for the POC exploit² no longer exists, so I cannot
confirm whether it has been fixed or not. I can see from the forum
post you linked to that the author does not believe it to be a
realistic, important enough issue to worry about.
¹ http://www.exploit-db.com/exploits/15240/
² http://www.anatoliasecurity.com/exploits/collabtive-csrf-xploit.txt
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Gunnar Wolf <gwolf@debian.org>
:
Bug#695348
; Package collabtive
.
(Mon, 29 Dec 2014 00:33:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Gunnar Wolf <gwolf@debian.org>
.
(Mon, 29 Dec 2014 00:33:05 GMT) (full text, mbox, link).
Message #40 received at 695348@bugs.debian.org (full text, mbox, reply):
On Tue, Dec 09, 2014 at 08:56:21PM -0600, Gunnar Wolf wrote:
> Moritz Mühlenhoff dijo [Tue, Dec 09, 2014 at 10:17:14PM +0100]:
> > > > I'm getting in touch with the authors right now. Thanks!
> > >
> > > http://collabtive.o-dyn.de/forum/viewtopic.php?f=11&t=8479
> >
> > Gunnar,
> > is this fixed in the version in jessie?
>
> Sorry for the delay for this reply!
>
> I can confirm you that, from the three attacks mentioned in
> exploit-db¹, attacks 1 and 3 do not work. As for attack 2 (the CSRF),
> the description just reads:
>
> Technically, attacker can create a specially crafted page and
> force collabtive administrators to visit it and can gain
> administrative privilege. For prevention from CSRF
> vulnerabilities, application needs anti-csrf token, captcha and
> asking old password for critical actions.
>
> The refered site for the POC exploit² no longer exists, so I cannot
> confirm whether it has been fixed or not. I can see from the forum
> post you linked to that the author does not believe it to be a
> realistic, important enough issue to worry about.
I've updated the security tracker, I suggest we go ahead and close this
bug, no need to keep this open.
Cheers,
Moritz
Reply sent
to Gunnar Wolf <gwolf@gwolf.org>
:
You have taken responsibility.
(Thu, 22 Oct 2015 16:00:07 GMT) (full text, mbox, link).
Notification sent
to "Thijs Kinkhorst" <thijs@debian.org>
:
Bug acknowledged by developer.
(Thu, 22 Oct 2015 16:00:08 GMT) (full text, mbox, link).
Message #45 received at 695348-done@bugs.debian.org (full text, mbox, reply):
Version: 2.0+dfsg-5
We agreed to close this bug almost a year ago, but no action was
taken then.
Information forwarded
to debian-bugs-dist@lists.debian.org, Gunnar Wolf <gwolf@debian.org>
:
Bug#695348
; Package collabtive
.
(Thu, 22 Oct 2015 16:15:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Henri Salo <henri@nerv.fi>
:
Extra info received and forwarded to list. Copy sent to Gunnar Wolf <gwolf@debian.org>
.
(Thu, 22 Oct 2015 16:15:03 GMT) (full text, mbox, link).
Message #50 received at 695348@bugs.debian.org (full text, mbox, reply):
This was fixed in 0.7.6-1 already, which was tested. Possibly even earlier.
--
Henri Salo
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Fri, 20 Nov 2015 07:29:45 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:20:25 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.