[Buildbot-devel] [SECURITY ALERT] XSS Vulnerability in Console - 0.8.0p1 and 0.8.1p1

Dustin J. Mitchell dustin at zmanda.com
Sat Oct 2 00:48:34 UTC 2010 

SUMMARY

Amber Yust has discovered and fixed several cross-site scripting
vulnerabilities in the Buildbot console.  This vulnerability allows an
attacker to craft a URL targetting a specific Buildbot instance, and
run arbitrary browser-side code in the context of that Buildbot
instance.  This constitutes a security risk both for the Buildbot
instance and for any other services hosted on the same domain as that
Buildbot instance, and is a particular threat when browsers'
same-origin policy is used to protect sensitive information such as
cookies.

Note that Buildbot itself does not use cookies (even in the IAuth
framework), so the risk for a standalone buildbot instance is somewhat
limited.  Even so, all users are urged to upgrade or apply the patch
given in the MITIGATION section, below.

The vulnerabilities are limited to the console view, and do not
affect Buildbot slaves.

AFFECTED VERSIONS
 buildbot-0.8.0
 buildbot-0.8.1

UNAFFECTED VERSIONS
 all earlier versions

MITIGATION

All users of Buildbot are urged to patch their installations.  Patches
are available for both affected versions, as are patched source
packages, in the following directories:

  https://sourceforge.net/projects/buildbot/files/buildbot/0.8.0p1/
  https://sourceforge.net/projects/buildbot/files/buildbot/0.8.1p1/

Each of the source packages are identical to the previous release with
the sole addition of the patch to fix this vulnerability.

File checksums are as follows.  The corresponding tags in git are
signed by my GPG public key (7F0D15B1) (available from keyservers), as
are the .asc files available on SourceForge.

a35b4b2e01f94badbb6c80af907e4c64  buildbot-0.8.0p1.tar.gz
ebf8fe23518fcc3bdd763b98ab9b03c4  buildbot-0.8.0p1.zip
fc12c0e94e246b9b12c80a0baf72de08  buildbot-0.8.1p1.tar.gz
d0cc794554636c7c053b4bd1f16dfd7f  buildbot-0.8.1p1.zip
c59101ca454111d3c56d2da37a79171d  buildbot-slave-0.8.1p1.tar.gz
37dedf2a0d09e4037e9a566dfe817427  buildbot-slave-0.8.1p1.zip

Official information about this vulnerability is here:
  http://buildbot.net/trac/wiki/SecurityAlert081

Dustin

-- 
Open Source Storage Engineer
http://www.zmanda.com

More information about the devel mailing list