Re: [python-committers] [Infrastructure] [Pydotorg] XSS security issue

On Mon, 15 Jul 2013 11:09:08 +0300, Michael Foord <michael@voidspace.org.uk> wrote:
On 15 Jul 2013, at 11:05, "M.-A. Lemburg" <mal@python.org> wrote:
Who would be the one to contact for issues like these ?
The case is rather urgent, since the XSS can be used for stealing session cookies on *.python.org.
The sorting by password issue is a more obscure one. Just removing the "feature" to sort by password should be enough to solve it.
Technically it's an infrastructure issue (cc'd), but fixing the code of roundup is hardly their domain.
Ezio Melotti (cc'd) did a lot of work on the Python installation of roundup, so he may have a better idea.
We have a security mailing list but that is mainly intended for security issues in the language:
security@python.org <security@python.org>
The OP also emailed security (which I heard about via IRC, I'm not on that list).
Ezio is a Roundup developer, so he is indeed the best person to look at the XSS issue, since it is a Roundup problem and not specific to the Tracker. I can take a look too but he is more knowledgeable than I about roundup itself.
There is another problem which is specific to our tracker and which is the bigger issue right at the moment. We have a 'nobody' user with a blank password and Developer privileges.
I'm about to go out, so I don't want to make a change that might break something right this moment, but anyone with the Coordinator role could take this on if they want to do it right now: remove either the Developer role, or both roles, from that user and see what happens. I suspect that user should not exist at all, but I don't know for sure.
--David

On Mon, Jul 15, 2013 at 8:08 AM, R. David Murray <rdmurray@bitdance.com>wrote:
On Mon, 15 Jul 2013 11:09:08 +0300, Michael Foord < michael@voidspace.org.uk> wrote:
On 15 Jul 2013, at 11:05, "M.-A. Lemburg" <mal@python.org> wrote:
Who would be the one to contact for issues like these ?
The case is rather urgent, since the XSS can be used for stealing session cookies on *.python.org.
The sorting by password issue is a more obscure one. Just removing the "feature" to sort by password should be enough to solve it.
Technically it's an infrastructure issue (cc'd), but fixing the code of
roundup is hardly their domain.
Ezio Melotti (cc'd) did a lot of work on the Python installation of
roundup, so he may have a better idea.
We have a security mailing list but that is mainly intended for security
issues in the language:
security@python.org <security@python.org>
The OP also emailed security (which I heard about via IRC, I'm not on that list).
Ezio is a Roundup developer, so he is indeed the best person to look at the XSS issue, since it is a Roundup problem and not specific to the Tracker. I can take a look too but he is more knowledgeable than I about roundup itself.
There is another problem which is specific to our tracker and which is the bigger issue right at the moment. We have a 'nobody' user with a blank password and Developer privileges.
I'm about to go out, so I don't want to make a change that might break something right this moment, but anyone with the Coordinator role could take this on if they want to do it right now: remove either the Developer role, or both roles, from that user and see what happens. I suspect that user should not exist at all, but I don't know for sure.
That user is owned by Donald Stufft (cc'ed). I actually can't log in as that user, though, so I think it might be a special user that you can't gain access to.

On Mon, Jul 15, 2013 at 9:33 AM, Brett Cannon <brett@python.org> wrote:
On Mon, Jul 15, 2013 at 8:08 AM, R. David Murray <rdmurray@bitdance.com>wrote:
On Mon, 15 Jul 2013 11:09:08 +0300, Michael Foord < michael@voidspace.org.uk> wrote:
On 15 Jul 2013, at 11:05, "M.-A. Lemburg" <mal@python.org> wrote:
Who would be the one to contact for issues like these ?
The case is rather urgent, since the XSS can be used for stealing session cookies on *.python.org.
The sorting by password issue is a more obscure one. Just removing the "feature" to sort by password should be enough to solve it.
Technically it's an infrastructure issue (cc'd), but fixing the code of
roundup is hardly their domain.
Ezio Melotti (cc'd) did a lot of work on the Python installation of
roundup, so he may have a better idea.
We have a security mailing list but that is mainly intended for
security issues in the language:
security@python.org <security@python.org>
The OP also emailed security (which I heard about via IRC, I'm not on that list).
Ezio is a Roundup developer, so he is indeed the best person to look at the XSS issue, since it is a Roundup problem and not specific to the Tracker. I can take a look too but he is more knowledgeable than I about roundup itself.
There is another problem which is specific to our tracker and which is the bigger issue right at the moment. We have a 'nobody' user with a blank password and Developer privileges.
I'm about to go out, so I don't want to make a change that might break something right this moment, but anyone with the Coordinator role could take this on if they want to do it right now: remove either the Developer role, or both roles, from that user and see what happens. I suspect that user should not exist at all, but I don't know for sure.
That user is owned by Donald Stufft (cc'ed). I actually can't log in as that user, though, so I think it might be a special user that you can't gain access to.
Donald's reply (since his email is in the committers review queue):
I can't comment on python-commuters so my message didn't get through there (But did on Infrastructure).
My Message:
So I was able to log in to the "nobody" account without a password (Why is this even possible?). It gave me powers to edit users and some other shit. I added a password to the nobody account since these lists are publicly available and if I can get into that user so can others.
I will make the password available to whoever is in charge, (Or they can just change the password themselves I don't care).
If you want to pass this through to python-comitters or something that's ok with me.

Hi,
On Mon, Jul 15, 2013 at 2:08 PM, R. David Murray <rdmurray@bitdance.com> wrote:
On Mon, 15 Jul 2013 11:09:08 +0300, Michael Foord <michael@voidspace.org.uk> wrote:
On 15 Jul 2013, at 11:05, "M.-A. Lemburg" <mal@python.org> wrote:
Who would be the one to contact for issues like these ?
The case is rather urgent, since the XSS can be used for stealing session cookies on *.python.org.
The sorting by password issue is a more obscure one. Just removing the "feature" to sort by password should be enough to solve it.
Technically it's an infrastructure issue (cc'd), but fixing the code of roundup is hardly their domain.
Ezio Melotti (cc'd) did a lot of work on the Python installation of roundup, so he may have a better idea.
We have a security mailing list but that is mainly intended for security issues in the language:
security@python.org <security@python.org>
The OP also emailed security (which I heard about via IRC, I'm not on that list).
Ezio is a Roundup developer, so he is indeed the best person to look at the XSS issue, since it is a Roundup problem and not specific to the Tracker. I can take a look too but he is more knowledgeable than I about roundup itself.
I don't have time to look at this now, and it might take up to 2 weeks before I find some time. The fix is usually as simple as adding a call to escape() in the right spot, but finding the right spot and testing that the fix works might take some time. Before doing this, our Roundup instance should be updated (1.5.0 has been released recently, but AFAIK it doesn't included a fix for this). FTR the issue has been reported upstream at <http://issues.roundup-tracker.org/issue2550817>.
Best Regards, Ezio Melotti
There is another problem which is specific to our tracker and which is the bigger issue right at the moment. We have a 'nobody' user with a blank password and Developer privileges.
I'm about to go out, so I don't want to make a change that might break something right this moment, but anyone with the Coordinator role could take this on if they want to do it right now: remove either the Developer role, or both roles, from that user and see what happens. I suspect that user should not exist at all, but I don't know for sure.
--David
participants (3)
-
Brett Cannon
-
Ezio Melotti
-
R. David Murray