Actions

Developer Area/Security Team/CVE Request: Difference between revisions

From Mahara Wiki

< Developer Area‎ | Security Team
(i)
 
m (formatting fixes)
Line 9: Line 9:
  I'm  an upstream developer for Mahara (packaged in Debian as "mahara") and we'd like to
  I'm  an upstream developer for Mahara (packaged in Debian as "mahara") and we'd like to
  get a CVE number for each of the following security bugs:
  get a CVE number for each of the following security bugs:
 
  1- XSS in select box validation (unsanitized input can be found in the keys
  1- XSS in select box validation (unsanitized input can be found in the keys
     of the Pieforms drop downs) -- affects Mahara 1.0, 1.1 and 1.2
     of the Pieforms drop downs) -- affects Mahara 1.0, 1.1 and 1.2
Line 15: Line 15:
  2- CSRF allowing blogs to be deleted (permissions are checked but the
  2- CSRF allowing blogs to be deleted (permissions are checked but the
     session key is neither passed nor checked) -- affects only the Mahara 1.2 series
     session key is neither passed nor checked) -- affects only the Mahara 1.2 series
 
  The first issue was discovered by John Doe of Awesome Security Inc. while the second
  The first issue was discovered by John Doe of Awesome Security Inc. while the second
  one was found by the Mahara developers.
  one was found by the Mahara developers.
 
  I have attached patches for both of these issues and will be preparing
  I have attached patches for both of these issues and will be preparing
  updated packages to be uploaded at the same time as the upstream release.
  updated packages to be uploaded at the same time as the upstream release.
 
  Cheers,
  Cheers,
   
   
  DeveloperName
  DeveloperName
 
  Attachments:
  Attachments:
  - xss_mahara10.patch
  - xss_mahara10.patch
Line 32: Line 32:
  - csrf_mahara12.patch
  - csrf_mahara12.patch


Note that this information will end up on the CVE database and will get copied all over the place, so it's worth triple-checking and testing everything because it's next to impossible to fix mistakes later.
Note that this information will end up on the CVE database and will get copied all over the place, so it's worth '''triple-checking and testing everything''' because it's next to impossible to fix mistakes later.

Revision as of 14:00, 25 October 2011

Here is a sample email showing what kinds of things that need to be included when requesting CVE numbers from Debian: 

To: [email protected]
Cc: [email protected]
Subject: CVE Request for security bugs in mahara

Hi,

I'm  an upstream developer for Mahara (packaged in Debian as "mahara") and we'd like to
get a CVE number for each of the following security bugs:

1- XSS in select box validation (unsanitized input can be found in the keys
   of the Pieforms drop downs) -- affects Mahara 1.0, 1.1 and 1.2

2- CSRF allowing blogs to be deleted (permissions are checked but the
   session key is neither passed nor checked) -- affects only the Mahara 1.2 series

The first issue was discovered by John Doe of Awesome Security Inc. while the second
one was found by the Mahara developers.

I have attached patches for both of these issues and will be preparing
updated packages to be uploaded at the same time as the upstream release.

Cheers,

DeveloperName

Attachments:
- xss_mahara10.patch
- xss_mahara11.patch
- xss_mahara12.patch
- csrf_mahara12.patch

Note that this information will end up on the CVE database and will get copied all over the place, so it's worth triple-checking and testing everything because it's next to impossible to fix mistakes later.

Retrieved from ‘https://wiki.mahara.org/index.php?title=Developer_Area/Security_Team/CVE_Request&oldid=2682