Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <20151012161612.5FE516C04EF@smtpvmsrv1.mitre.org>
Date: Mon, 12 Oct 2015 12:16:12 -0400 (EDT)
From: cve-assign@...re.org
To: nathan.van.gheem@...ne.org
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE Request: Plone CSRF

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> Can a CVE be assigned to this issue, please?
> 
>    https://plone.org/security/20151006/multiple-csrf-vulnerabilities-in-zope
>    https://plone.org/products/plone/security/advisories/security-vulnerability-20151006-csrf
> 
> Plone is built on the Zope2 application framework. In the Zope2 application
> framework, there are multiple CSRF vulnerabilities. The latest version of
> Plone has automatic CSRF protection integrated at the database layer. This
> patch basically backports the latest automatically CSRF infrastructure to
> Plone 4.x.

The vulnerability information can be covered in CVE; however, we do
not really understand why it is being presented in this way.

https://github.com/plone/plone4.csrffixes says "there are a lot of
CSRF problem with the ZMI that Zope2 will never be able to fix." It
seems that, normally, if one or more persons had discovered CSRF
problems in Zope2, then they could have CVE IDs for their discoveries.
Why is this a "never be able to fix" situation? Is there, more or
less, a requirement that Zope2 allow arbitrary requests from clients
that have never previously read the content of any web page, because
of the variety of ways that Zope2 is used? In that situation, the
request behavior of Zope2 would not necessarily be considered a Zope2
vulnerability.

Also, a separate issue is that the CVE request is specifically about
backporting. It seems that, at some time in the past, the possibility
of CSRF attacks against default Plone sites was identified and this
motivated the development of auto CSRF protection in Plone 5.
Normally, an assignment of a CVE ID or IDs would be associated with
the original discovery, not a later backporting of fixes. Are these
equivalent in this case: for example, were all of the CSRF attack
possibilities against default Plone sites discovered by Plone
Foundation contributors, and security-vulnerability-20151006-csrf is
the first general public announcement that these CSRF issues existed
at all?

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWG9wmAAoJEL54rhJi8gl5n6oQAKXuzwqb4bmBs4K5NhpJ4NtI
d37u737MsJSGLLtXGlrupC2XDwq/LuSN80SmOQVYnPn4EU4SU+17bvwjOP30LECD
DJMt7m10LuGjamyrbFGfALzXh0iPkZHoUN289c+oQZN9P8pdVlVfZlVrgZP2KPQk
3MbELeGrh0NogA2+yRFAdufKQovo4cnyQuHsxqpV/7Mv+YJwlFInhJVcrI35F5TF
R3sDKoIkjMXicPRA9+9dZYnTeNmypGVhuBUhG6UwW+Ob4dlR6fAyMH6NV+977r+5
9DnDsyHQ+6axYqNT/+4kY1tXHi9dXvhSoV71OGtcMODknD7RyiVdF1DpuJl7PP7Y
u+TaqrN7A7x5kalSCspLYsYlvciyIXURJv32ZANVeT/67mEqnWky7ZnoUrssPqzf
FIgqAM1MUPD9KT+P9zDoiG0oFfVKpu9EqLlo372pyw+nVn/2U0fPdGzKro+kOZGQ
CU+wxdFX2xwZTAsP1JXzHBoHEY0Q/i+GSAlqHvNuILlLgdypPS9YxiCNc0pVmsBE
2HRxNoZAWBhiAD/B/nEFjNyvi6yGzz35QNhaYGeMQpVrlDh65BNt3wT+pkCxB/tr
W7ZbRsu4DBxt/yyVy9FqOdw0eIqo2beplKxVWHjbAIKapQjCyJ0VXD887CBw7AlC
uVpQbre4M9bmYXVg95Bz
=tvlJ
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.