Open Bug 791767 (etherpad-secreview) Opened 11 years ago Updated 8 years ago

SecReview: Etherpad

Categories

(mozilla.org :: Security Assurance: Review Request, task, P4)

Product:
mozilla.org
Component:
Security Assurance: Review Request
Type:
task

Tracking

(Not tracked)

Status:
ASSIGNED

People

(Reporter: mfuller, Assigned: mfuller, NeedInfo)

References

Details

(Whiteboard: [pending secreview][score:18::Low]) 

Bug for Etherpad security review being conducted currently.
Risk/Priority Ranking Exercise https://wiki.mozilla.org/Security/RiskRatings

Priority: 2 (P4) - Team Quarterly Goal

Operational: 1 - Minor
User: 3 - Major
Privacy: 0 - N/A
Engineering: 3 - Major
Reputational: 2 - Normal

Priority Score: 18
Severity: normal → major
Priority: -- → P4
Whiteboard: [pending secreview] → [pending secreview][score:18::Low]
Depends on: 790099
Depends on: 792123
There are also a number of other "best practices" failures within Etherpad that are too small to merit creating new bugs but still affect the overall security:

- Pads with passwords have no password policy and allow passwords as short as 1 character.
- The password is stored in plaintext
- STS is not set
- Uploaded file types are not consistently checked (it lists "txt, doc, html" as acceptable types, yet I was able to upload PHP but not JPG).
- No CSRF on new pads means a new pad is created each time a GET request is made. A simple script and an hour of time could flood the database

I am halting the sec review at this time due to other priorities, but if more evidence against etherpad old is needed, I can dig deeper. The above bugs are mostly low-hanging fruit, but can still cause a security headache if exploited, especially given the amount of sensitive data stored in etherpad.
> - No CSRF on new pads means a new pad is created each time a GET request is made. A > simple script and an hour of time could flood the database

Even with CSRF protection, couldn't an evil client do the same thing?

> I am halting the sec review at this time due to other priorities, but if more
> evidence against etherpad old is needed, I can dig deeper.

Is the plan of record to upgrade to Etherpad Lite?
(In reply to Jesse Ruderman from comment #3)
> Is the plan of record to upgrade to Etherpad Lite?

Yes, that's been the plan since EL was released, more or less... irrespective of security in Etherpad Classic, EL is a simpler app to maintain (and actually has upstream maintenance). The primary blocker is lack of team site functionality in Etherpad Lite. Work is happening to rectify this.
Is there a bug for a sec-review of Etherpad Lite? IMO it makes much more sense to concentrate our sec-review resources on that rather than Etherpad Classic. All the cool kids (really, *all* the kids) are working on EL these days. :)
There will be, we're just using this bug as more of a tracking bug for all the issues we have with Etherpad. Etherpad lite is in the works and a review should be happening in early October.
will i get nominateed on 18 score for the bug bounty ? the bug was realised by me but i cant see the detailed bug report i submitted.
i mean it the bug was submitted by me on etherpad but i cant see the details i submitted .
The score is an internal system we use for deciding what work to do first and has nothing to do with bug bounties. And in general this site is not available for bounties, but that decision is up to the bounty committee.
Vaibhav, sorry for the confusion - I may have added one of your bugs as a blocker to this because we are tracking every security issue with Etherpad. You should still be able to see the bug you reported, but as Curtis said, we typically discuss Etherpad bugs before awarding a nomination. The score of 18 you see is for the Etherpad review itself, not the individual bugs.
Why would Etherpad be ineligible for bounties?  Its subdomains (such as https://security.etherpad.mozilla.org/) have private data and accounts, which I thought was the main criterion.
Yeah i mean the same .it is the sub-domain of mozilla and consisting  of secure data and info.
I request you to see if the bug  again.i thought it was the critical issue when i reported.

Thanks
Matt fuller it is fine that you added my bug to track security issues.that was the xss showing validd cookie that i reported.i got you clearly.but i wanna knoa why its not eligible for bug bounty
Vaibhav, what bug number exactly did you report? I don't see any bugs by you relating to Etherpad.
Even i cant see the bug i reported or i cant find.I let you you know that i reported Cross site scripting on Etherpad.I have the email regarding the same on my registered bugzilla email.Help me finding the same.Thanks
Sorry Guys.I didnt see the response.That bug was duplicate.
here
https://bugzilla.mozilla.org/show_bug.cgi?id=748497
:mfuller - are you going to keep this or do we need to reassign?
Flags: needinfo?(matthewdf10)
Can I ask does this include etherpad2 this security review
Do you mean Etherpad Lite? We have done a security review of etherpad lite in bug 795501 (which is not public yet, but may become so in the future). The outcome of said security review was Etherpad Lite release 1.2.9. See http://blog.etherpad.org/2013/03/17/releasing-1-2-9/
I believe what this bug was for etherpad lite if I am correct
There is no need to dig out this thread.

*This* bug (791767) is for Etherpad.
Bug 795501 was for Etherpad Lite.
See Also: → 831448
Alias: etherpad-secreview
You need to log in before you can comment on or make changes to this bug.