[Buildbot-devel] [SECURITY ALERT] XSS Vulnerability in Console - 0.8.0p1 and 0.8.1p1
Dustin J. Mitchell
dustin at zmanda.com
Sat Oct 2 00:48:34 UTC 2010
SUMMARY
Amber Yust has discovered and fixed several cross-site scripting
vulnerabilities in the Buildbot console. This vulnerability allows an
attacker to craft a URL targetting a specific Buildbot instance, and
run arbitrary browser-side code in the context of that Buildbot
instance. This constitutes a security risk both for the Buildbot
instance and for any other services hosted on the same domain as that
Buildbot instance, and is a particular threat when browsers'
same-origin policy is used to protect sensitive information such as
cookies.
Note that Buildbot itself does not use cookies (even in the IAuth
framework), so the risk for a standalone buildbot instance is somewhat
limited. Even so, all users are urged to upgrade or apply the patch
given in the MITIGATION section, below.
The vulnerabilities are limited to the console view, and do not
affect Buildbot slaves.
AFFECTED VERSIONS
buildbot-0.8.0
buildbot-0.8.1
UNAFFECTED VERSIONS
all earlier versions
MITIGATION
All users of Buildbot are urged to patch their installations. Patches
are available for both affected versions, as are patched source
packages, in the following directories:
https://sourceforge.net/projects/buildbot/files/buildbot/0.8.0p1/
https://sourceforge.net/projects/buildbot/files/buildbot/0.8.1p1/
Each of the source packages are identical to the previous release with
the sole addition of the patch to fix this vulnerability.
File checksums are as follows. The corresponding tags in git are
signed by my GPG public key (7F0D15B1) (available from keyservers), as
are the .asc files available on SourceForge.
a35b4b2e01f94badbb6c80af907e4c64 buildbot-0.8.0p1.tar.gz
ebf8fe23518fcc3bdd763b98ab9b03c4 buildbot-0.8.0p1.zip
fc12c0e94e246b9b12c80a0baf72de08 buildbot-0.8.1p1.tar.gz
d0cc794554636c7c053b4bd1f16dfd7f buildbot-0.8.1p1.zip
c59101ca454111d3c56d2da37a79171d buildbot-slave-0.8.1p1.tar.gz
37dedf2a0d09e4037e9a566dfe817427 buildbot-slave-0.8.1p1.zip
Official information about this vulnerability is here:
http://buildbot.net/trac/wiki/SecurityAlert081
Dustin
--
Open Source Storage Engineer
http://www.zmanda.com
More information about the devel
mailing list