Open
Bug 791767
(etherpad-secreview)
Opened 13 years ago
Updated 10 years ago
SecReview: Etherpad
Categories
(mozilla.org :: Security Assurance: Review Request, task, P4)
mozilla.org
Security Assurance: Review Request
Tracking
(Not tracked)
ASSIGNED
People
(Reporter: mfuller, Assigned: mfuller, NeedInfo)
References
Details
(Whiteboard: [pending secreview][score:18::Low])
Bug for Etherpad security review being conducted currently.
Assignee | ||
Comment 1•13 years ago
|
||
Risk/Priority Ranking Exercise https://wiki.mozilla.org/Security/RiskRatings
Priority: 2 (P4) - Team Quarterly Goal
Operational: 1 - Minor
User: 3 - Major
Privacy: 0 - N/A
Engineering: 3 - Major
Reputational: 2 - Normal
Priority Score: 18
![]() |
||
Updated•13 years ago
|
Severity: normal → major
Priority: -- → P4
Whiteboard: [pending secreview] → [pending secreview][score:18::Low]
Assignee | ||
Comment 2•13 years ago
|
||
There are also a number of other "best practices" failures within Etherpad that are too small to merit creating new bugs but still affect the overall security:
- Pads with passwords have no password policy and allow passwords as short as 1 character.
- The password is stored in plaintext
- STS is not set
- Uploaded file types are not consistently checked (it lists "txt, doc, html" as acceptable types, yet I was able to upload PHP but not JPG).
- No CSRF on new pads means a new pad is created each time a GET request is made. A simple script and an hour of time could flood the database
I am halting the sec review at this time due to other priorities, but if more evidence against etherpad old is needed, I can dig deeper. The above bugs are mostly low-hanging fruit, but can still cause a security headache if exploited, especially given the amount of sensitive data stored in etherpad.
Comment 3•13 years ago
|
||
> - No CSRF on new pads means a new pad is created each time a GET request is made. A > simple script and an hour of time could flood the database
Even with CSRF protection, couldn't an evil client do the same thing?
> I am halting the sec review at this time due to other priorities, but if more
> evidence against etherpad old is needed, I can dig deeper.
Is the plan of record to upgrade to Etherpad Lite?
Comment 4•13 years ago
|
||
(In reply to Jesse Ruderman from comment #3)
> Is the plan of record to upgrade to Etherpad Lite?
Yes, that's been the plan since EL was released, more or less... irrespective of security in Etherpad Classic, EL is a simpler app to maintain (and actually has upstream maintenance). The primary blocker is lack of team site functionality in Etherpad Lite. Work is happening to rectify this.
Comment 5•13 years ago
|
||
Is there a bug for a sec-review of Etherpad Lite? IMO it makes much more sense to concentrate our sec-review resources on that rather than Etherpad Classic. All the cool kids (really, *all* the kids) are working on EL these days. :)
Assignee | ||
Comment 6•13 years ago
|
||
There will be, we're just using this bug as more of a tracking bug for all the issues we have with Etherpad. Etherpad lite is in the works and a review should be happening in early October.
Comment 7•13 years ago
|
||
will i get nominateed on 18 score for the bug bounty ? the bug was realised by me but i cant see the detailed bug report i submitted.
Comment 8•13 years ago
|
||
i mean it the bug was submitted by me on etherpad but i cant see the details i submitted .
The score is an internal system we use for deciding what work to do first and has nothing to do with bug bounties. And in general this site is not available for bounties, but that decision is up to the bounty committee.
Assignee | ||
Comment 10•13 years ago
|
||
Vaibhav, sorry for the confusion - I may have added one of your bugs as a blocker to this because we are tracking every security issue with Etherpad. You should still be able to see the bug you reported, but as Curtis said, we typically discuss Etherpad bugs before awarding a nomination. The score of 18 you see is for the Etherpad review itself, not the individual bugs.
Comment 11•13 years ago
|
||
Why would Etherpad be ineligible for bounties? Its subdomains (such as https://security.etherpad.mozilla.org/) have private data and accounts, which I thought was the main criterion.
Comment 12•13 years ago
|
||
Yeah i mean the same .it is the sub-domain of mozilla and consisting of secure data and info.
I request you to see if the bug again.i thought it was the critical issue when i reported.
Thanks
Comment 13•13 years ago
|
||
Matt fuller it is fine that you added my bug to track security issues.that was the xss showing validd cookie that i reported.i got you clearly.but i wanna knoa why its not eligible for bug bounty
Assignee | ||
Comment 14•13 years ago
|
||
Vaibhav, what bug number exactly did you report? I don't see any bugs by you relating to Etherpad.
Comment 15•13 years ago
|
||
Even i cant see the bug i reported or i cant find.I let you you know that i reported Cross site scripting on Etherpad.I have the email regarding the same on my registered bugzilla email.Help me finding the same.Thanks
Comment 16•13 years ago
|
||
Sorry Guys.I didnt see the response.That bug was duplicate.
here
https://bugzilla.mozilla.org/show_bug.cgi?id=748497
:mfuller - are you going to keep this or do we need to reassign?
Flags: needinfo?(matthewdf10)
Comment 18•12 years ago
|
||
Can I ask does this include etherpad2 this security review
Comment 19•12 years ago
|
||
Do you mean Etherpad Lite? We have done a security review of etherpad lite in bug 795501 (which is not public yet, but may become so in the future). The outcome of said security review was Etherpad Lite release 1.2.9. See http://blog.etherpad.org/2013/03/17/releasing-1-2-9/
Comment 20•11 years ago
|
||
I believe what this bug was for etherpad lite if I am correct
Comment 21•11 years ago
|
||
There is no need to dig out this thread.
*This* bug (791767) is for Etherpad.
Bug 795501 was for Etherpad Lite.
You need to log in
before you can comment on or make changes to this bug.
Description
•